[nsp-sec] Juniper Networks advisory re SNMPv3

Paul Goyette pgoyette at juniper.net
Tue Jun 10 16:30:12 EDT 2008 

I didn't actually build it, I just invoked the standard
"build everything" script!  (And in the future, I'll be
changing my name to 'jtac-builder' to avoid confusion
and liability :)  !)

All of our released software uses the Epilogue SNMP 
library.  We've switching to net-snmp in 9.2 IIRC.

Paul Goyette
Juniper Networks Customer Service
JTAC Senior Escalation Engineer
Juniper Security Incident Response Team
PGP Key ID 0x53BA7731 Fingerprint:
  FA29 0E3B 35AF E8AE 6651
  0786 F758 55DE 53BA 7731 

> -----Original Message-----
> From: Smith, Donald [mailto:Donald.Smith at qwest.com] 
> Sent: Tuesday, June 10, 2008 12:56 PM
> To: Paul Goyette; nsp-security at puck.nether.net
> Subject: RE: [nsp-sec] Juniper Networks advisory re SNMPv3
> 
> Which snmpd does JUNOS use?
> The reason I ask is net-snmp is often included with various flavors of
> BSD.
> 
> The reason I ask you is you appear to have built it;)
> SNMPD release 7.4I0 built by pgoyette on 2007-12-13 04:57:17 UTC
> 
> 
> 
> Security through obscurity WORKS against some worms and ssh attacks:)
> Donald.Smith at qwest.com giac 
> 
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net 
> > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> > Paul Goyette
> > Sent: Tuesday, June 10, 2008 12:23 PM
> > To: nsp-security at puck.nether.net
> > Subject: [nsp-sec] Juniper Networks advisory re SNMPv3
> > 
> > ----------- nsp-security Confidential --------
> > 
> > Looks like Juniper got lucky this time.  Only one of our
> > products is affected, and it's probably not widely used
> > in the Service Provider space...
> > 
> > 	PSN-2008-06-005 
> > 	Title:              Authentication vulnerability in some 
> > 	                    implementations of SNMPv3 (CERT/CC 
> > 	                    VU#878044) 
> > 	Products Affected:  C-series Session and Resource Control 
> > 	                    appliances 
> > 	Platforms Affected: SRC Software 
> >  
> > 	Issue
> > 	-----
> > 	Certain implementations of SNMPv3 have a minor deficiency 
> > 	in the way HMAC authentication is performed. This can lead 
> > 	to isolated cases of spoofed SNMPv3 authentication. 
> > 
> > 	This issue is tracked in TIC.14989 and TIC.14990 for the
> > 	C-series Session and Resource Control appliances running 
> > 	SRC. US-CERT has assigned VU#878044 to track this 
> > 	vulnerability. 
> > 
> > 	No other Juniper Networks products are affected by this 
> > 	vulnerability. 
> > 
> > 	Solution
> > 	--------
> > 	The code has been modified to properly perform HMAC 
> > 	authentication. These modifications eliminate this method 
> > 	of being erroneously authenticated to the device. 
> > 
> > 	Solution Implementation
> > 	-----------------------
> > 	Customers running SRC 1.0.0, 1.0.1, or 2.0.0 should contact 
> > 	Juniper Networks Customer Support to obtain updated versions 
> > 	of the software for the C-series platform. Customers 
> > 	utilizing a C-series Session and Resource Control appliance 
> > 	should upgrade their software to a release dated after June 
> > 	13, 2008. 
> > 
> > 	Workarounds
> > 	-----------
> > 	There are several mitigation techniques available to avoid 
> > 	this authentication vulnerability: 
> > 
> > 	* Disable SNMPv3 on the affected device. 
> > 	* Restrict access to SNMPv3 via access lists. 
> > 
> > 	Disclaimer
> > 	----------
> > 	Juniper Networks is providing this notice on an "AS IS" basis. 
> > 	No warranty or guarantee of any kind is expressed in this 
> > 	notice and none should be implied. Juniper Networks expressly 
> > 	excludes and disclaims any warranties regarding this notice or 
> > 	materials referred to in this notice, including, without 
> > 	limitation, any implied warranty of merchantability, fitness 
> > 	for a particular purpose, absence of hidden defects, or of 
> > 	noninfringement. Your use or reliance on this notice or 
> > 	materials referred to in this notice is at your own risk. 
> > 	Juniper Networks may change this notice at any time. 
> >  
> > 
> > Paul Goyette
> > Juniper Networks Customer Service
> > JTAC Senior Escalation Engineer
> > Juniper Security Incident Response Team
> > PGP Key ID 0x53BA7731 Fingerprint:
> >   FA29 0E3B 35AF E8AE 6651
> >   0786 F758 55DE 53BA 7731
> > 
> > 
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> > 
> > Please do not Forward, CC, or BCC this E-mail outside of the 
> > nsp-security
> > community. Confidentiality is essential for effective 
> > Internet security counter-measures.
> > _______________________________________________
> > 
> > 
> 
> 
> This communication is the property of Qwest and may contain 
> confidential or
> privileged information. Unauthorized use of this 
> communication is strictly 
> prohibited and may be unlawful.  If you have received this 
> communication 
> in error, please immediately notify the sender by reply 
> e-mail and destroy 
> all copies of the communication and any attachments.
>

More information about the nsp-security mailing list