[NEWS] SNMP Version 3 Authentication Vulnerabilities
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 15 Jun 2008 16:44:39 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
SNMP Version 3 Authentication Vulnerabilities
Multiple Cisco products contain either of two authentication
vulnerabilities in the Simple Network Management Protocol version 3
(SNMPv3) feature. These vulnerabilities can be exploited when processing a
malformed SNMPv3 message. These vulnerabilities could allow the disclosure
of network information or may enable an attacker to perform configuration
changes to vulnerable devices. The SNMP server is an optional service that
is disabled by default in Cisco products. Only SNMPv3 is impacted by these
vulnerabilities. Workarounds are available for mitigating the impact of
the vulnerabilities described in this document.
* Cisco IOS
* Cisco IOS-XR
* Cisco Catalyst Operating System (CatOS)
* Cisco NX-OS
* Cisco Application Control Engine (ACE) Module
* Cisco ACE Appliance
* Cisco ACE XML Gateway
* Cisco MDS 9000 Series Multilayer Fabric Switches
Note: The SNMP server is disabled by default. These vulnerabilities only
impact devices that are configured for SNMPv3.
To determine the version of SNMP configured in Cisco IOS, CatOS and
IOS-XR, log in to the device and issue the show snmp group command. The
security model field indicates the version of SNMP configured. The output
"usm" is the abbreviation for user-based security model and this indicates
SNMPv3 is configured.
router#show snmp group
groupname: test security model:v3 noauth
readview : v1default writeview: <no writeview
notifyview: <no notifyview specified>
row status: active
5500-1 (enable) show snmp group
Security Model: v3
Security Name: userv3
Group Name: groupv3
Storage Type: nonvolatile
Row Status: active
RP/0/RP0/CPU0:ios#show snmp group
groupname: test security model:usm
readview : v1default writeview: -
row status: nonVolatile
IronPort C-Series, X-Series, and M-Series appliances utilize code covered
by this advisory, but are not susceptible to any security risk. IronPort
C-Series, X-Series, and M-Series incorporate the libraries under the
advisory to provide anonymous read-only access to system health data.
There is no risk of escalated authorization privileges allowing a 3rd
party to make any configuration changes to the IronPort devices. IronPort
S-Series and Encryption Appliances are not affected by this advisory. This
announcement has also been posted on the IronPort Support Portal,
available to IronPort customers:
* Cisco PIX Security Appliances
* Cisco ASA Security Appliances
* Cisco Firewall Services Module (FWSM)
* Cisco Security Monitoring, Analysis, and Response System (MARS)
* Cisco Network Admission Control (NAC) Appliance
* CiscoWorks Wireless LAN Solution Engine (WLSE)
No other Cisco products are currently known to be affected by these
SNMP defines a standard mechanism for remote management and monitoring of
devices in an Internet Protocol (IP) network.
There are three general types of SNMP operations: "get" requests to
request information, "set" requests that modify the configuration of a
remote device, and "trap" messages that provide a monitoring function.
SNMP requests and traps are transported over User Datagram Protocol (UDP)
and are received at the assigned destination port numbers 161 and 162,
SNMPv3 provides secure access to devices by authenticating and encrypting
packets over the network. RFC2574 defines the use of HMAC-MD5-96 and
HMAC-SHA-96 as the possible authentication protocols for SNMPv3.
Vulnerabilities have been identified in the authentication code of
multiple SNMPv3 implementations. This advisory identifies two
vulnerabilities that are almost identical. Both are specifically related
to malformed SNMPv3 packets that manipulate the Hash Message
Authentication Code (HMAC). The two vulnerabilities may impact both Secure
Hashing Algorithm-1 (SHA-1) and Message-Digest Algorithm 5 (MD5). The
vulnerabilities described in this document can be successfully exploited
using spoofed SNMPv3 packets.
These vulnerabilities are documented in the following Cisco Bug IDs:
* CSCsf04754 - IOS SNMPv3 HMAC Authentication issue
* CSCsf30109 - IOS-XR SNMPv3 HMAC Authentication issue
* CSCsf29976 - CatOS SNMPv3 HMAC Authentication issue
* CSCsq62662 - ACE XML Gw SNMPv3 HMAC Authentication issue
* CSCsq60664 - ACE Appliance SNMPv3 HMAC Authentication issue
* CSCsq60695 - ACE Module SNMPv3 HMAC Authentication issue
* CSCsq60582 - Nexus SNMPv3 HMAC Authentication issue
Note: Although multiple software defects are listed, this advisory only
identifies two vulnerabilities. Because different Cisco products require
their own fixes, additional Bug IDs have been assigned.
Successful exploitation of these vulnerabilities could result in the
disclosure of sensitive information on a device or allow an attacker to
make configuration changes to a vulnerable device that is based on the
The information has been provided by <mailto:psirt@xxxxxxxxx> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] CitectSCADA ODBC Service Vulnerability
- Next by Date: [UNIX] Multiple Vendor X Server Vulnerabilities (SHM, RSE, REG, AllocateGlyph)
- Previous by thread: [NT] CitectSCADA ODBC Service Vulnerability
- Next by thread: [UNIX] Multiple Vendor X Server Vulnerabilities (SHM, RSE, REG, AllocateGlyph)