[nsp-sec] Cisco Security Advisory: SNMP Version 3 Authentication Vulnerabilities

Tue Jun 10 13:54:57 EDT 2008

On Tue, 10 Jun 2008, Cisco Systems Product Security Incident Response Team wrote:

> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Cisco Security Advisory: SNMP Version 3 Authentication
> Vulnerabilities
>
> Document ID: 107408
>
> Advisory ID: cisco-sa-20080610-snmpv3
>
> http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml
>
> Revision 1.0
>

<snip>

>
> Details
> =======
>
> SNMP defines a standard mechanism for remote management and
> monitoring of devices in an Internet Protocol (IP) network.
>
> There are three general types of SNMP operations: "get" requests to
> request information, "set" requests that modify the configuration of
> a remote device, and "trap" messages that provide a monitoring
> function. SNMP requests and traps are transported over User Datagram
> Protocol (UDP) and are received at the assigned destination port
> numbers 161 and 162, respectively.
>
> SNMPv3 provides secure access to devices by authenticating and
> encrypting packets over the network. RFC2574 defines
> the use of HMAC-MD5-96 and HMAC-SHA-96 as the possible authentication
> protocols for SNMPv3.
>
> Vulnerabilities have been identified in the authentication code of
> multiple SNMPv3 implementations. This advisory identifies two
> vulnerabilities that are almost identical. Both are specifically
> related to malformed SNMPv3 packets that manipulate the Hash Message
> Authentication Code (HMAC). The two vulnerabilities may impact both
> Secure Hashing Algorithm-1 (SHA-1) and Message-Digest Algorithm 5
> (MD5). The vulnerabilities described in this document can be
> successfully exploited using spoofed SNMPv3 packets.
>
> These vulnerabilities are documented in the following Cisco Bug IDs:
>
>  * CSCsf04754 - IOS SNMPv3 HMAC Authentication issue
>  * CSCsf30109 - IOS-XR SNMPv3 HMAC Authentication issue
>  * CSCsf29976 - CatOS SNMPv3 HMAC Authentication issue
>  * CSCsq62662 - ACE XML Gw SNMPv3 HMAC Authentication issue
>  * CSCsq60664 - ACE Appliance SNMPv3 HMAC Authentication issue
>  * CSCsq60695 - ACE Module SNMPv3 HMAC Authentication issue
>  * CSCsq60582 - Nexus SNMPv3 HMAC Authentication issue
>
> Note:  Although multiple software defects are listed, this advisory
> only identifies two vulnerabilities. Because different Cisco products
> require their own fixes, additional Bug IDs have been assigned.

<snip>

> |------------+-------------+-------------|
> |            | 12.0(28)S1  |             |
> |            |             |             |
> | 12.0S      | 12.0(32)S5  |             |
> |            |             |             |
> |            | 12.0(33)S   |             |
> |------------+-------------+-------------|

hurray for LI functionality available via snmpv3 only!!!