[nsp-sec] Juniper Networks advisory re SNMPv3

Paul Goyette pgoyette at juniper.net
Tue Jun 10 14:22:38 EDT 2008 

Looks like Juniper got lucky this time.  Only one of our
products is affected, and it's probably not widely used
in the Service Provider space...

	PSN-2008-06-005 
	Title:              Authentication vulnerability in some 
	                    implementations of SNMPv3 (CERT/CC 
	                    VU#878044) 
	Products Affected:  C-series Session and Resource Control 
	                    appliances 
	Platforms Affected: SRC Software 
 
	Issue
	-----
	Certain implementations of SNMPv3 have a minor deficiency 
	in the way HMAC authentication is performed. This can lead 
	to isolated cases of spoofed SNMPv3 authentication. 

	This issue is tracked in TIC.14989 and TIC.14990 for the
	C-series Session and Resource Control appliances running 
	SRC. US-CERT has assigned VU#878044 to track this 
	vulnerability. 

	No other Juniper Networks products are affected by this 
	vulnerability. 

	Solution
	--------
	The code has been modified to properly perform HMAC 
	authentication. These modifications eliminate this method 
	of being erroneously authenticated to the device. 

	Solution Implementation
	-----------------------
	Customers running SRC 1.0.0, 1.0.1, or 2.0.0 should contact 
	Juniper Networks Customer Support to obtain updated versions 
	of the software for the C-series platform. Customers 
	utilizing a C-series Session and Resource Control appliance 
	should upgrade their software to a release dated after June 
	13, 2008. 

	Workarounds
	-----------
	There are several mitigation techniques available to avoid 
	this authentication vulnerability: 

	* Disable SNMPv3 on the affected device. 
	* Restrict access to SNMPv3 via access lists. 

	Disclaimer
	----------
	Juniper Networks is providing this notice on an "AS IS" basis. 
	No warranty or guarantee of any kind is expressed in this 
	notice and none should be implied. Juniper Networks expressly 
	excludes and disclaims any warranties regarding this notice or 
	materials referred to in this notice, including, without 
	limitation, any implied warranty of merchantability, fitness 
	for a particular purpose, absence of hidden defects, or of 
	noninfringement. Your use or reliance on this notice or 
	materials referred to in this notice is at your own risk. 
	Juniper Networks may change this notice at any time. 
 

Paul Goyette
Juniper Networks Customer Service
JTAC Senior Escalation Engineer
Juniper Security Incident Response Team
PGP Key ID 0x53BA7731 Fingerprint:
  FA29 0E3B 35AF E8AE 6651
  0786 F758 55DE 53BA 7731

More information about the nsp-security mailing list