[nsp-sec] Juniper Networks advisory re SNMPv3
Smith, Donald
Donald.Smith at qwest.com
Tue Jun 10 15:56:00 EDT 2008
Which snmpd does JUNOS use?
The reason I ask is net-snmp is often included with various flavors of
BSD.
The reason I ask you is you appear to have built it;)
SNMPD release 7.4I0 built by pgoyette on 2007-12-13 04:57:17 UTC
Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Paul Goyette
> Sent: Tuesday, June 10, 2008 12:23 PM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] Juniper Networks advisory re SNMPv3
>
> ----------- nsp-security Confidential --------
>
> Looks like Juniper got lucky this time. Only one of our
> products is affected, and it's probably not widely used
> in the Service Provider space...
>
> PSN-2008-06-005
> Title: Authentication vulnerability in some
> implementations of SNMPv3 (CERT/CC
> VU#878044)
> Products Affected: C-series Session and Resource Control
> appliances
> Platforms Affected: SRC Software
>
> Issue
> -----
> Certain implementations of SNMPv3 have a minor deficiency
> in the way HMAC authentication is performed. This can lead
> to isolated cases of spoofed SNMPv3 authentication.
>
> This issue is tracked in TIC.14989 and TIC.14990 for the
> C-series Session and Resource Control appliances running
> SRC. US-CERT has assigned VU#878044 to track this
> vulnerability.
>
> No other Juniper Networks products are affected by this
> vulnerability.
>
> Solution
> --------
> The code has been modified to properly perform HMAC
> authentication. These modifications eliminate this method
> of being erroneously authenticated to the device.
>
> Solution Implementation
> -----------------------
> Customers running SRC 1.0.0, 1.0.1, or 2.0.0 should contact
> Juniper Networks Customer Support to obtain updated versions
> of the software for the C-series platform. Customers
> utilizing a C-series Session and Resource Control appliance
> should upgrade their software to a release dated after June
> 13, 2008.
>
> Workarounds
> -----------
> There are several mitigation techniques available to avoid
> this authentication vulnerability:
>
> * Disable SNMPv3 on the affected device.
> * Restrict access to SNMPv3 via access lists.
>
> Disclaimer
> ----------
> Juniper Networks is providing this notice on an "AS IS" basis.
> No warranty or guarantee of any kind is expressed in this
> notice and none should be implied. Juniper Networks expressly
> excludes and disclaims any warranties regarding this notice or
> materials referred to in this notice, including, without
> limitation, any implied warranty of merchantability, fitness
> for a particular purpose, absence of hidden defects, or of
> noninfringement. Your use or reliance on this notice or
> materials referred to in this notice is at your own risk.
> Juniper Networks may change this notice at any time.
>
>
> Paul Goyette
> Juniper Networks Customer Service
> JTAC Senior Escalation Engineer
> Juniper Security Incident Response Team
> PGP Key ID 0x53BA7731 Fingerprint:
> FA29 0E3B 35AF E8AE 6651
> 0786 F758 55DE 53BA 7731
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
>
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list