[NEWS] SNMP Version 3 Authentication Vulnerabilities



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



SNMP Version 3 Authentication Vulnerabilities
------------------------------------------------------------------------


SUMMARY

Multiple Cisco products contain either of two authentication
vulnerabilities in the Simple Network Management Protocol version 3
(SNMPv3) feature. These vulnerabilities can be exploited when processing a
malformed SNMPv3 message. These vulnerabilities could allow the disclosure
of network information or may enable an attacker to perform configuration
changes to vulnerable devices. The SNMP server is an optional service that
is disabled by default in Cisco products. Only SNMPv3 is impacted by these
vulnerabilities. Workarounds are available for mitigating the impact of
the vulnerabilities described in this document.

DETAILS

Vulnerable Systems:
* Cisco IOS
* Cisco IOS-XR
* Cisco Catalyst Operating System (CatOS)
* Cisco NX-OS
* Cisco Application Control Engine (ACE) Module
* Cisco ACE Appliance
* Cisco ACE XML Gateway
* Cisco MDS 9000 Series Multilayer Fabric Switches

Note: The SNMP server is disabled by default. These vulnerabilities only
impact devices that are configured for SNMPv3.

To determine the version of SNMP configured in Cisco IOS, CatOS and
IOS-XR, log in to the device and issue the show snmp group command. The
security model field indicates the version of SNMP configured. The output
"usm" is the abbreviation for user-based security model and this indicates
SNMPv3 is configured.

Cisco IOS
router#show snmp group
groupname: test security model:v3 noauth
readview : v1default writeview: <no writeview
specified>
notifyview: <no notifyview specified>
row status: active

Cisco CatOS
5500-1 (enable) show snmp group
Security Model: v3
Security Name: userv3
Group Name: groupv3
Storage Type: nonvolatile
Row Status: active

Cisco IOS-XR
RP/0/RP0/CPU0:ios#show snmp group
groupname: test security model:usm
readview : v1default writeview: -
notifyview: v1default
row status: nonVolatile

IronPort
IronPort C-Series, X-Series, and M-Series appliances utilize code covered
by this advisory, but are not susceptible to any security risk. IronPort
C-Series, X-Series, and M-Series incorporate the libraries under the
advisory to provide anonymous read-only access to system health data.
There is no risk of escalated authorization privileges allowing a 3rd
party to make any configuration changes to the IronPort devices. IronPort
S-Series and Encryption Appliances are not affected by this advisory. This
announcement has also been posted on the IronPort Support Portal,
available to IronPort customers:

<https://supportportal.ironport.com/irppcnctr/srvcd?u=http://secure-support.soma.ironport.com/announcement&sid=900016> https://supportportal.ironport.com/irppcnctr/srvcd?u=http://secure-support.soma.ironport.com/announcement&sid=900016

Immune Systems:
* Cisco PIX Security Appliances
* Cisco ASA Security Appliances
* Cisco Firewall Services Module (FWSM)
* Cisco Security Monitoring, Analysis, and Response System (MARS)
* Cisco Network Admission Control (NAC) Appliance
* CiscoWorks Wireless LAN Solution Engine (WLSE)

No other Cisco products are currently known to be affected by these
vulnerabilities.

Details:
SNMP defines a standard mechanism for remote management and monitoring of
devices in an Internet Protocol (IP) network.

There are three general types of SNMP operations: "get" requests to
request information, "set" requests that modify the configuration of a
remote device, and "trap" messages that provide a monitoring function.
SNMP requests and traps are transported over User Datagram Protocol (UDP)
and are received at the assigned destination port numbers 161 and 162,
respectively.

SNMPv3 provides secure access to devices by authenticating and encrypting
packets over the network. RFC2574 defines the use of HMAC-MD5-96 and
HMAC-SHA-96 as the possible authentication protocols for SNMPv3.

Vulnerabilities have been identified in the authentication code of
multiple SNMPv3 implementations. This advisory identifies two
vulnerabilities that are almost identical. Both are specifically related
to malformed SNMPv3 packets that manipulate the Hash Message
Authentication Code (HMAC). The two vulnerabilities may impact both Secure
Hashing Algorithm-1 (SHA-1) and Message-Digest Algorithm 5 (MD5). The
vulnerabilities described in this document can be successfully exploited
using spoofed SNMPv3 packets.

These vulnerabilities are documented in the following Cisco Bug IDs:
* CSCsf04754 - IOS SNMPv3 HMAC Authentication issue
* CSCsf30109 - IOS-XR SNMPv3 HMAC Authentication issue
* CSCsf29976 - CatOS SNMPv3 HMAC Authentication issue
* CSCsq62662 - ACE XML Gw SNMPv3 HMAC Authentication issue
* CSCsq60664 - ACE Appliance SNMPv3 HMAC Authentication issue
* CSCsq60695 - ACE Module SNMPv3 HMAC Authentication issue
* CSCsq60582 - Nexus SNMPv3 HMAC Authentication issue

Note: Although multiple software defects are listed, this advisory only
identifies two vulnerabilities. Because different Cisco products require
their own fixes, additional Bug IDs have been assigned.

Impact:
Successful exploitation of these vulnerabilities could result in the
disclosure of sensitive information on a device or allow an attacker to
make configuration changes to a vulnerable device that is based on the
SNMP configuration.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0960>
CVE-2008-0960


ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@xxxxxxxxx> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml>
http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NEWS] Cisco PIX Multiple Vulnerabilities
    ... Beyond Security would like to welcome Tiscali World Online ... The Cisco PIX Firewall provides robust, ... These vulnerabilities are documented as Cisco bug ID ...
    (Securiteam)
  • [NEWS] Microsoft SQL Server 2000 Vulnerabilities in Cisco Products
    ... Beyond Security would like to welcome Tiscali World Online ... These vulnerabilities were discovered and publicly announced ... All Cisco products and applications that are using unpatched Microsoft SQL ... Customers running version 3.3should install Cisco's cumulative SQL ...
    (Securiteam)
  • Security Vulnerabilities in SNMP (rev.16)
    ... Security Vulnerabilities in SNMP ... The information in the following Security Bulletin should be acted ... Vulnerabilities in SNMP request and trap handling. ...
    (comp.security.misc)
  • Security Vulnerabilities in SNMP (rev.16)
    ... Security Vulnerabilities in SNMP ... The information in the following Security Bulletin should be acted ... Vulnerabilities in SNMP request and trap handling. ...
    (comp.security.unix)
  • [NT] Cisco Secure ACS Web Server Found to Contain Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... vulnerabilities. ... Cisco Secure ACS for UNIX is not vulnerable. ... all affected customers. ...
    (Securiteam)