Vulnerabilities > CVE-2008-0960 - Improper Authentication vulnerability in Juniper Session and Resource Control and SRC PE

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
juniper
CWE-287
nessus
exploit available

Summary

SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) Juniper Session and Resource Control (SRC) C-series 1.0.0 through 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and 7.3RC2; (6) SNMP Research before 16.2; (7) multiple Cisco IOS, CatOS, ACE, and Nexus products; (8) Ingate Firewall 3.1.0 and later and SIParator 3.1.0 and later; (9) HP OpenView SNMP Emanate Master Agent 15.x; and possibly other products relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte.

Vulnerable Configurations

Part Description Count
OS
Cisco
61
OS
Ecos_Sourceware
5
OS
Net-Snmp
17
OS
Sun
2
Hardware
Cisco
13
Hardware
Ingate
63
Application
Juniper
4

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Authentication Abuse
    An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Utilizing REST's Trust in the System Resource to Register Man in the Middle
    This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
  • Man in the Middle Attack
    This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.

Exploit-Db

descriptionSNMPv3 HMAC validation error Remote Authentication Bypass Exploit. CVE-2008-0960. Remote exploits for multiple platform
fileexploits/multiple/remote/5790.txt
idEDB-ID:5790
last seen2016-01-31
modified2008-06-12
platformmultiple
port161
published2008-06-12
reporterMaurizio Agazzini
sourcehttps://www.exploit-db.com/download/5790/
titleSNMPv3 - HMAC validation error Remote Authentication Bypass Exploit
typeremote

Nessus

  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2008-0529.NASL
    descriptionUpdated net-snmp packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Simple Network Management Protocol (SNMP) is a protocol used for network management. A flaw was found in the way Net-SNMP checked an SNMPv3 packet
    last seen2020-06-01
    modified2020-06-02
    plugin id33142
    published2008-06-12
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33142
    titleCentOS 3 / 4 / 5 : net-snmp (CESA-2008:0529)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2008:0529 and 
    # CentOS Errata and Security Advisory 2008:0529 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(33142);
      script_version("1.23");
      script_cvs_date("Date: 2019/10/25 13:36:04");
    
      script_cve_id("CVE-2008-0960", "CVE-2008-2292");
      script_bugtraq_id(29212, 29623);
      script_xref(name:"RHSA", value:"2008:0529");
    
      script_name(english:"CentOS 3 / 4 / 5 : net-snmp (CESA-2008:0529)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated net-snmp packages that fix a security issue are now available
    for Red Hat Enterprise Linux 3, 4, and 5.
    
    This update has been rated as having moderate security impact by the
    Red Hat Security Response Team.
    
    The Simple Network Management Protocol (SNMP) is a protocol used for
    network management.
    
    A flaw was found in the way Net-SNMP checked an SNMPv3 packet's
    Keyed-Hash Message Authentication Code (HMAC). An attacker could use
    this flaw to spoof an authenticated SNMPv3 packet. (CVE-2008-0960)
    
    A buffer overflow was found in the Perl bindings for Net-SNMP. This
    could be exploited if an attacker could convince an application using
    the Net-SNMP Perl module to connect to a malicious SNMP agent.
    (CVE-2008-2292)
    
    All users of net-snmp should upgrade to these updated packages, which
    contain backported patches to resolve these issues."
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-June/014970.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?6ce0318a"
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-June/014971.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?d46f8e65"
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-June/014980.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0b76e169"
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-June/014983.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0ce8c587"
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-June/015014.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?9e04fe41"
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-June/015015.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?b05a3829"
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-June/015040.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?7dcbf0ab"
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-June/015041.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?170e07e5"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected net-snmp packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
      script_cwe_id(119, 287);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:net-snmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:net-snmp-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:net-snmp-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:net-snmp-perl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:net-snmp-utils");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/05/18");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/06/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/06/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(3|4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x / 5.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-3", reference:"net-snmp-5.0.9-2.30E.24")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"net-snmp-devel-5.0.9-2.30E.24")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"net-snmp-libs-5.0.9-2.30E.24")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"net-snmp-perl-5.0.9-2.30E.24")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"net-snmp-utils-5.0.9-2.30E.24")) flag++;
    
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"net-snmp-5.1.2-11.el4_6.11.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"net-snmp-5.1.2-11.c4.11.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"net-snmp-5.1.2-11.el4_6.11.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"net-snmp-devel-5.1.2-11.el4_6.11.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"net-snmp-devel-5.1.2-11.c4.11.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"net-snmp-devel-5.1.2-11.el4_6.11.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"net-snmp-libs-5.1.2-11.el4_6.11.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"net-snmp-libs-5.1.2-11.c4.11.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"net-snmp-libs-5.1.2-11.el4_6.11.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"net-snmp-perl-5.1.2-11.el4_6.11.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"net-snmp-perl-5.1.2-11.c4.11.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"net-snmp-perl-5.1.2-11.el4_6.11.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"net-snmp-utils-5.1.2-11.el4_6.11.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"net-snmp-utils-5.1.2-11.c4.11.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"net-snmp-utils-5.1.2-11.el4_6.11.3")) flag++;
    
    if (rpm_check(release:"CentOS-5", reference:"net-snmp-5.3.1-24.el5_2.1")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"net-snmp-devel-5.3.1-24.el5_2.1")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"net-snmp-libs-5.3.1-24.el5_2.1")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"net-snmp-perl-5.3.1-24.el5_2.1")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"net-snmp-utils-5.3.1-24.el5_2.1")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "net-snmp / net-snmp-devel / net-snmp-libs / net-snmp-perl / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1663.NASL
    descriptionSeveral vulnerabilities have been discovered in NET SNMP, a suite of Simple Network Management Protocol applications. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-0960 Wes Hardaker reported that the SNMPv3 HMAC verification relies on the client to specify the HMAC length, which allows spoofing of authenticated SNMPv3 packets. - CVE-2008-2292 John Kortink reported a buffer overflow in the __snprint_value function in snmp_get causing a denial of service and potentially allowing the execution of arbitrary code via a large OCTETSTRING in an attribute value pair (AVP). - CVE-2008-4309 It was reported that an integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c allows remote attackers to cause a denial of service attack via a crafted SNMP GETBULK request.
    last seen2020-06-01
    modified2020-06-02
    plugin id34720
    published2008-11-09
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/34720
    titleDebian DSA-1663-1 : net-snmp - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1663. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(34720);
      script_version("1.22");
      script_cvs_date("Date: 2019/08/02 13:32:21");
    
      script_cve_id("CVE-2008-0960", "CVE-2008-2292", "CVE-2008-4309");
      script_bugtraq_id(29212, 29623, 32020);
      script_xref(name:"DSA", value:"1663");
    
      script_name(english:"Debian DSA-1663-1 : net-snmp - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in NET SNMP, a suite of
    Simple Network Management Protocol applications. The Common
    Vulnerabilities and Exposures project identifies the following
    problems :
    
      - CVE-2008-0960
        Wes Hardaker reported that the SNMPv3 HMAC verification
        relies on the client to specify the HMAC length, which
        allows spoofing of authenticated SNMPv3 packets.
    
      - CVE-2008-2292
        John Kortink reported a buffer overflow in the
        __snprint_value function in snmp_get causing a denial of
        service and potentially allowing the execution of
        arbitrary code via a large OCTETSTRING in an attribute
        value pair (AVP).
    
      - CVE-2008-4309
        It was reported that an integer overflow in the
        netsnmp_create_subtree_cache function in
        agent/snmp_agent.c allows remote attackers to cause a
        denial of service attack via a crafted SNMP GETBULK
        request."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=485945"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482333"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504150"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-0960"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-2292"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-4309"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2008/dsa-1663"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the net-snmp package.
    
    For the stable distribution (etch), these problems has been fixed in
    version 5.2.3-7etch4."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
      script_cwe_id(20, 119, 287);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:net-snmp");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/11/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/11/09");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"4.0", prefix:"libsnmp-base", reference:"5.2.3-7etch4")) flag++;
    if (deb_check(release:"4.0", prefix:"libsnmp-perl", reference:"5.2.3-7etch4")) flag++;
    if (deb_check(release:"4.0", prefix:"libsnmp9", reference:"5.2.3-7etch4")) flag++;
    if (deb_check(release:"4.0", prefix:"libsnmp9-dev", reference:"5.2.3-7etch4")) flag++;
    if (deb_check(release:"4.0", prefix:"snmp", reference:"5.2.3-7etch4")) flag++;
    if (deb_check(release:"4.0", prefix:"snmpd", reference:"5.2.3-7etch4")) flag++;
    if (deb_check(release:"4.0", prefix:"tkmib", reference:"5.2.3-7etch4")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_39887.NASL
    descriptions700_800 11.X OV EMANATE15.3 IA-64 Consolidated Patch 6 : A potential vulnerability has been identified with HP OpenView SNMP Emanate Master Agent Running on HP-UX, Linux, Solaris, and Windows. The vulnerability could be exploited remotely to gain unauthorized access.
    last seen2020-06-01
    modified2020-06-02
    plugin id47754
    published2010-07-19
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/47754
    titleHP-UX PHSS_39887 : HP OpenView SNMP Emanate Master Agent Remote Unauthorized Access (HPSBMA02439 SSRT080082 rev.3)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and patch checks in this plugin were 
    # extracted from HP patch PHSS_39887. The text itself is
    # copyright (C) Hewlett-Packard Development Company, L.P.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(47754);
      script_version("1.26");
      script_cvs_date("Date: 2018/07/12 19:01:15");
    
      script_cve_id("CVE-2008-0960");
      script_bugtraq_id(29623);
      script_xref(name:"HP", value:"emr_na-c01757418");
      script_xref(name:"HP", value:"SSRT080082");
    
      script_name(english:"HP-UX PHSS_39887 : HP OpenView SNMP Emanate Master Agent Remote Unauthorized Access (HPSBMA02439 SSRT080082 rev.3)");
      script_summary(english:"Checks for the patch in the swlist output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote HP-UX host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "s700_800 11.X OV EMANATE15.3 IA-64 Consolidated Patch 6 : 
    
    A potential vulnerability has been identified with HP OpenView SNMP
    Emanate Master Agent Running on HP-UX, Linux, Solaris, and Windows.
    The vulnerability could be exploited remotely to gain unauthorized
    access."
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01757418
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?5cc54a7f"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Install patch PHSS_39887 or subsequent."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
      script_cwe_id(287);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/08/21");
      script_set_attribute(attribute:"patch_modification_date", value:"2010/07/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/07/19");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");
      script_family(english:"HP-UX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("hpux.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX");
    if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    if (!hpux_check_ctx(ctx:"11.23 11.31", proc:"ia64"))
    {
      exit(0, "The host is not affected since PHSS_39887 applies to a different OS release / architecture.");
    }
    
    patches = make_list("PHSS_39887", "PHSS_41033", "PHSS_41557", "PHSS_42776", "PHSS_43175", "PHSS_43647", "PHSS_43818", "PHSS_44265");
    foreach patch (patches)
    {
      if (hpux_installed(app:patch))
      {
        exit(0, "The host is not affected because patch "+patch+" is installed.");
      }
    }
    
    
    flag = 0;
    if (hpux_check_patch(app:"OVSNMPAgent.MASTER", version:"B.11.23")) flag++;
    if (hpux_check_patch(app:"OVSNMPAgent.MASTER", version:"B.11.23.01")) flag++;
    if (hpux_check_patch(app:"OVSNMPAgent.MASTER", version:"B.11.31")) flag++;
    if (hpux_check_patch(app:"OVSNMPAgent.MASTER", version:"B.11.31.01")) flag++;
    if (hpux_check_patch(app:"OVSNMPAgent.SNMP-ENG-A-MAN", version:"B.11.23")) flag++;
    if (hpux_check_patch(app:"OVSNMPAgent.SNMP-ENG-A-MAN", version:"B.11.23.01")) flag++;
    if (hpux_check_patch(app:"OVSNMPAgent.SNMP-ENG-A-MAN", version:"B.11.31")) flag++;
    if (hpux_check_patch(app:"OVSNMPAgent.SNMP-ENG-A-MAN", version:"B.11.31.01")) flag++;
    if (hpux_check_patch(app:"OVSNMPAgent.SUBAGT-HPUNIX", version:"B.11.23")) flag++;
    if (hpux_check_patch(app:"OVSNMPAgent.SUBAGT-HPUNIX", version:"B.11.23.01")) flag++;
    if (hpux_check_patch(app:"OVSNMPAgent.SUBAGT-HPUNIX", version:"B.11.31")) flag++;
    if (hpux_check_patch(app:"OVSNMPAgent.SUBAGT-HPUNIX", version:"B.11.31.01")) flag++;
    if (hpux_check_patch(app:"OVSNMPAgent.SUBAGT-MIB2", version:"B.11.23")) flag++;
    if (hpux_check_patch(app:"OVSNMPAgent.SUBAGT-MIB2", version:"B.11.23.01")) flag++;
    if (hpux_check_patch(app:"OVSNMPAgent.SUBAGT-MIB2", version:"B.11.31")) flag++;
    if (hpux_check_patch(app:"OVSNMPAgent.SUBAGT-MIB2", version:"B.11.31.01")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-5215.NASL
    description - Tue Jun 10 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-18 - explicitly require lm_sensor > 3 for build (#442718) - fix various flaws (CVE-2008-2292 CVE-2008-0960) - Sat May 31 2008 Dennis Gilmore <dennis at ausil.us> 5.4.1-17 - fix sparc handling in /usr/bin/net-snmp-config - Thu May 29 2008 Dennis Gilmore <dennis at ausil.us> 5.4.1-16 - fix /usr/include/net-snmp-config.h for sparc - Sun May 25 2008 Dennis Gilmore <dennis at ausil.us> 5.4.1-15 - sparc multilib handling Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33146
    published2008-06-12
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33146
    titleFedora 9 : net-snmp-5.4.1-18.fc9 (2008-5215)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-0529.NASL
    descriptionFrom Red Hat Security Advisory 2008:0529 : Updated net-snmp packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Simple Network Management Protocol (SNMP) is a protocol used for network management. A flaw was found in the way Net-SNMP checked an SNMPv3 packet
    last seen2020-06-01
    modified2020-06-02
    plugin id67708
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67708
    titleOracle Linux 3 / 4 / 5 : net-snmp (ELSA-2008-0529)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-9362.NASL
    description - Mon Jun 23 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-8 - explicitly require the right version and release of net-snmp and net-snmp-libs (#451225) - fix CVE-2008-4309 - Tue Jun 10 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-7 - fix various flaws (CVE-2008-2292 CVE-2008-0960) - Thu Feb 14 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-6 - fixing ipNetToMediaNetAddress to show IP address (#432780) - Thu Nov 15 2007 Jan Safranek <jsafranek at redhat.com> 5.4.1-5 - added procps to build dependencies (#380321) - fix crash on reading xen interfaces (#386611) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id34703
    published2008-11-06
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/34703
    titleFedora 8 : net-snmp-5.4.1-8.fc8 (2008-9362)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0017_NET-SNMP.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 5.04, has net-snmp packages installed that are affected by multiple vulnerabilities: - SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) Juniper Session and Resource Control (SRC) C-series 1.0.0 through 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and 7.3RC2; (6) SNMP Research before 16.2; (7) multiple Cisco IOS, CatOS, ACE, and Nexus products; (8) Ingate Firewall 3.1.0 and later and SIParator 3.1.0 and later; (9) HP OpenView SNMP Emanate Master Agent 15.x; and possibly other products relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte. (CVE-2008-0960) - Buffer overflow in the __snprint_value function in snmp_get in Net-SNMP 5.1.4, 5.2.4, and 5.4.1, as used in SNMP.xs for Perl, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large OCTETSTRING in an attribute value pair (AVP). (CVE-2008-2292) - Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats. (CVE-2008-4309) - The netsnmp_udp_fmtaddr function (snmplib/snmpUDPDomain.c) in net-snmp 5.0.9 through 5.4.2.1, when using TCP wrappers for client authorization, does not properly parse hosts.allow rules, which allows remote attackers to bypass intended access restrictions and execute SNMP queries, related to source/destination IP address confusion. (CVE-2008-6123) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127171
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127171
    titleNewStart CGSL MAIN 5.04 : net-snmp Multiple Vulnerabilities (NS-SA-2019-0017)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2008-0017.NASL
    descriptiona. Updated ESX Service Console package libxml2 A denial of service flaw was found in the way libxml2 processes certain content. If an application that is linked against libxml2 processes malformed XML content, the XML content might cause the application to stop responding. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-3281 to this issue. Additionally the following was also fixed, but was missing in the security advisory. A heap-based buffer overflow flaw was found in the way libxml2 handled long XML entity names. If an application linked against libxml2 processed untrusted malformed XML content, it could cause the application to crash or, possibly, execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-3529 to this issue. b. Updated ESX Service Console package ucd-snmp A flaw was found in the way ucd-snmp checks an SNMPv3 packet
    last seen2020-06-01
    modified2020-06-02
    plugin id40384
    published2009-07-27
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40384
    titleVMSA-2008-0017 : Updated ESX packages for libxml2, ucd-snmp, libtiff
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0528.NASL
    descriptionUpdated ucd-snmp packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Simple Network Management Protocol (SNMP) is a protocol used for network management. A flaw was found in the way ucd-snmp checked an SNMPv3 packet
    last seen2020-06-01
    modified2020-06-02
    plugin id33156
    published2008-06-12
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33156
    titleRHEL 2.1 : ucd-snmp (RHSA-2008:0528)
  • NASL familyCISCO
    NASL idCISCO-SA-20080610-SNMPV3-IOSXR.NASL
    descriptionMultiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. The vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default in Cisco products. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document. Note: SNMP versions 1, 2 and 2c are not impacted by these vulnerabilities. The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044.
    last seen2019-10-28
    modified2013-12-14
    plugin id71433
    published2013-12-14
    reporterThis script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/71433
    titleSNMP Version 3 Authentication Vulnerabilities (cisco-sa-20080610-snmpv3)
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL8939.NASL
    descriptionSNMPv3 HMAC verification relies on the client to specify the HMAC length. This flexibility allows remote attackers to bypass SNMP authentication by specifying a length value of 1 , which only checks the first byte.
    last seen2020-06-01
    modified2020-06-02
    plugin id78225
    published2014-10-10
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78225
    titleF5 Networks BIG-IP : SNMPv3 HMAC verification vulnerability (SOL8939)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_120272.NASL
    descriptionSunOS 5.10: SMA patch. Date this patch was last updated by Sun : May/11/17 This plugin has been deprecated and either replaced with individual 120272 patch-revision plugins, or deemed non-security related.
    last seen2019-02-21
    modified2018-07-30
    plugin id25272
    published2007-05-20
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=25272
    titleSolaris 10 (sparc) : 120272-40 (deprecated)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-685-1.NASL
    descriptionWes Hardaker discovered that the SNMP service did not correctly validate HMAC authentication requests. An unauthenticated remote attacker could send specially crafted SNMPv3 traffic with a valid username and gain access to the user
    last seen2020-06-01
    modified2020-06-02
    plugin id38099
    published2009-04-23
    reporterUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38099
    titleUbuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : net-snmp vulnerabilities (USN-685-1)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-118.NASL
    descriptionA vulnerability was found in how Net-SNMP checked an SNMPv3 packet
    last seen2020-06-01
    modified2020-06-02
    plugin id37050
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/37050
    titleMandriva Linux Security Advisory : net-snmp (MDVSA-2008:118)
  • NASL familySuSE Local Security Checks
    NASL idSUSE9_12204.NASL
    descriptionThis security update of net-snmp fixes a denial of service vulnerability (CVE-2008-2292), an authentication bypass (CVE-2008-0960) and several memory leaks. In addition net-snmp was patched to allow customization of the agent address set.
    last seen2020-06-01
    modified2020-06-02
    plugin id41223
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41223
    titleSuSE9 Security Update : net-snmp (YOU Patch Number 12204)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-5224.NASL
    description - Tue Jun 10 2008 Jan Safranek <jsafranek at redhat.com> 5.4-18 - fix various flaws (CVE-2008-2292 CVE-2008-0960) - Thu Feb 14 2008 Jan Safranek <jsafranek at redhat.com> 5.4-17 - fixing ipNetToMediaNetAddress to show IP address (#432780) - Fri Oct 19 2007 Jan Safranek <jsafranek at redhat.com> 5.4-16 - License: field fixed to
    last seen2020-06-01
    modified2020-06-02
    plugin id33148
    published2008-06-12
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33148
    titleFedora 7 : net-snmp-5.4-18.fc7 (2008-5224)
  • NASL familyCISCO
    NASL idCISCO-SA-20080610-SNMPV3HTTP.NASL
    descriptionMultiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default in Cisco products. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document. Note: SNMP versions 1, 2 and 2c are not impacted by these vulnerabilities. The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044.
    last seen2019-10-28
    modified2010-09-01
    plugin id49016
    published2010-09-01
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/49016
    titleSNMP Version 3 Authentication Vulnerabilities (cisco-sa-20080610-snmpv3)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2008-0013.NASL
    descriptionI Security Issues a. OpenSSL Binaries Updated This fix updates the third-party OpenSSL library. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-3108 and CVE-2007-5135 to the issues addressed by this update. II Service Console rpm updates a. net-snmp Security update This fix upgrades the service console rpm for net-snmp to version net-snmp-5.0.9-2.30E.24. Note: this update is relevant for ESX 3.0.3. The initial advisory incorrectly stated that this update was present in ESX 3.0.3 when it was released on August 8, 2008. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-2292 and CVE-2008-0960 to the issues addressed in net-snmp-5.0.9-2.30E.24. b. perl Security update This fix upgrades the service console rpm for perl to version perl-5.8.0-98.EL3. Note: this update is relevant for ESX 3.0.3. The initial advisory incorrectly stated that this update was present in ESX 3.0.3 when it was released on August 8, 2008. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-1927 to the issue addressed in perl-5.8.0-98.EL3.
    last seen2020-06-01
    modified2020-06-02
    plugin id40381
    published2009-07-27
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40381
    titleVMSA-2008-0013 : Updated ESX packages for OpenSSL, net-snmp, perl
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_LIBSNMP15-080706.NASL
    descriptionThis security update fixes a denial of service vulnerability and an authentication bypass (CVE-2008-2292, CVE-2008-0960).
    last seen2020-06-01
    modified2020-06-02
    plugin id40045
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40045
    titleopenSUSE Security Update : libsnmp15 (libsnmp15-87)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0529.NASL
    descriptionUpdated net-snmp packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Simple Network Management Protocol (SNMP) is a protocol used for network management. A flaw was found in the way Net-SNMP checked an SNMPv3 packet
    last seen2020-06-01
    modified2020-06-02
    plugin id33157
    published2008-06-12
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33157
    titleRHEL 3 / 4 / 5 : net-snmp (RHSA-2008:0529)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-5218.NASL
    description - Tue Jun 10 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-7 - fix various flaws (CVE-2008-2292 CVE-2008-0960) - Thu Feb 14 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-6 - fixing ipNetToMediaNetAddress to show IP address (#432780) - Thu Nov 15 2007 Jan Safranek <jsafranek at redhat.com> 5.4.1-5 - added procps to build dependencies (#380321) - fix crash on reading xen interfaces (#386611) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33147
    published2008-06-12
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33147
    titleFedora 8 : net-snmp-5.4.1-7.fc8 (2008-5218)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_120272-31.NASL
    descriptionSunOS 5.10: SMA patch. Date this patch was last updated by Sun : Jun/30/11
    last seen2020-06-01
    modified2020-06-02
    plugin id107359
    published2018-03-12
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107359
    titleSolaris 10 (sparc) : 120272-31
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2008-210-07.NASL
    descriptionNew net-snmp packages are available for Slackware 12.0, 12.1, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33752
    published2008-07-29
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33752
    titleSlackware 12.0 / 12.1 / current : net-snmp (SSA:2008-210-07)
  • NASL familySNMP
    NASL idSNMPV3_AUTHENTICATION_BYPASS.NASL
    descriptionSNMPv3 HMAC verification relies on the client to specify the HMAC length. This makes it possible for remote attackers to bypass SNMP authentication via repeated attempts with a HMAC length value of 1, which causes only the first byte of the authentication hash to be checked. This issue affects SNMP implementations from multiple vendors.
    last seen2020-06-01
    modified2020-06-02
    plugin id40449
    published2009-07-31
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40449
    titleMultiple Vendor HMAC Authentication SNMPv3 Authentication Bypass
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_39886.NASL
    descriptions700_800 11.X OV EMANATE15.3 PA-RISC Consolidated Patch 6 : A potential vulnerability has been identified with HP OpenView SNMP Emanate Master Agent Running on HP-UX, Linux, Solaris, and Windows. The vulnerability could be exploited remotely to gain unauthorized access.
    last seen2020-06-01
    modified2020-06-02
    plugin id47753
    published2010-07-19
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/47753
    titleHP-UX PHSS_39886 : HP OpenView SNMP Emanate Master Agent Remote Unauthorized Access (HPSBMA02439 SSRT080082 rev.3)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200808-02.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200808-02 (Net-SNMP: Multiple vulnerabilities) Wes Hardaker reported that the SNMPv3 HMAC verification relies on the client to specify the HMAC length (CVE-2008-0960). John Kortink reported a buffer overflow in the Perl bindings of Net-SNMP when processing the OCTETSTRING in an attribute value pair (AVP) received by an SNMP agent (CVE-2008-2292). Impact : An attacker could send SNMPv3 packets to an instance of snmpd providing a valid user name and an HMAC length value of 1, and easily conduct brute-force attacks to bypass SNMP authentication. An attacker could further entice a user to connect to a malicious SNMP agent with an SNMP client using the Perl bindings, possibly resulting in the execution of arbitrary code. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id33832
    published2008-08-07
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33832
    titleGLSA-200808-02 : Net-SNMP: Multiple vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_NET-SNMP-5422.NASL
    descriptionThis security update of net-snmp fixes a denial of service vulnerability (CVE-2008-2292), an authentication bypass (CVE-2008-0960) and several memory leaks. In addition net-snmp was patched to allow customization of the agent address set.
    last seen2020-06-01
    modified2020-06-02
    plugin id33787
    published2008-08-01
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33787
    titleSuSE 10 Security Update : net-snmp (ZYPP Patch Number 5422)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20080610_NET_SNMP_ON_SL3_X.NASL
    descriptionA flaw was found in the way Net-SNMP checked an SNMPv3 packet
    last seen2020-06-01
    modified2020-06-02
    plugin id60419
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60419
    titleScientific Linux Security Update : net-snmp on SL3.x, SL4.x, SL5.x i386/x86_64
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_5_4.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.4. Mac OS X 10.5.4 contains security fixes for multiple components.
    last seen2020-06-01
    modified2020-06-02
    plugin id33281
    published2008-07-01
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33281
    titleMac OS X 10.5.x < 10.5.4 Multiple Vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-9367.NASL
    description - Tue Jul 22 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-19 - fix perl SNMP::Session::set (#452131) - support interface names longer than 8 characters (#468045) - explicitly require the right version and release of net-snmp and net-snmp-libs - fix CVE-2008-4309 - Tue Jun 10 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-18 - explicitly require lm_sensor > 3 for build (#442718) - fix various flaws (CVE-2008-2292 CVE-2008-0960) - Sat May 31 2008 Dennis Gilmore <dennis at ausil.us> 5.4.1-17 - fix sparc handling in /usr/bin/net-snmp-config - Thu May 29 2008 Dennis Gilmore <dennis at ausil.us> 5.4.1-16 - fix /usr/include/net-snmp-config.h for sparc - Sun May 25 2008 Dennis Gilmore <dennis at ausil.us> 5.4.1-15 - sparc multilib handling Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id34704
    published2008-11-06
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/34704
    titleFedora 9 : net-snmp-5.4.1-19.fc9 (2008-9367)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_X86_120273.NASL
    descriptionSunOS 5.10_x86: SMA patch. Date this patch was last updated by Sun : May/11/17 This plugin has been deprecated and either replaced with individual 120273 patch-revision plugins, or deemed non-security related.
    last seen2019-02-21
    modified2018-07-30
    plugin id25391
    published2007-06-04
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=25391
    titleSolaris 10 (x86) : 120273-42 (deprecated)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_LIBSNMP15-5418.NASL
    descriptionThis security update fixes a denial of service vulnerability and an authentication bypass (CVE-2008-2292, CVE-2008-0960).
    last seen2020-06-01
    modified2020-06-02
    plugin id33786
    published2008-08-01
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33786
    titleopenSUSE 10 Security Update : libsnmp15 (libsnmp15-5418)
  • NASL familyCISCO
    NASL idCISCO-SA-20080610-SNMPV3-NXOS.NASL
    descriptionMultiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default in Cisco products. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document. Note: SNMP versions 1, 2 and 2c are not impacted by these vulnerabilities. The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044.
    last seen2020-06-01
    modified2020-06-02
    plugin id66697
    published2013-05-31
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/66697
    titleSNMP Version 3 Authentication Bypass Vulnerabilities (cisco-sa-20080610-snmpv3)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_X86_120273-33.NASL
    descriptionSunOS 5.10_x86: SMA patch. Date this patch was last updated by Sun : Jun/29/11
    last seen2020-06-01
    modified2020-06-02
    plugin id107861
    published2018-03-12
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107861
    titleSolaris 10 (x86) : 120273-33
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2008-004.NASL
    descriptionThe remote host is running a version of Mac OS X 10.4 that does not have the security update 2008-004 applied. This update contains security fixes for a number of programs.
    last seen2020-06-01
    modified2020-06-02
    plugin id33282
    published2008-07-01
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33282
    titleMac OS X Multiple Vulnerabilities (Security Update 2008-004)

Oval

  • accepted2013-04-29T04:09:04.048-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
      ovaloval:org.mitre.oval:def:11782
    • commentCentOS Linux 3.x
      ovaloval:org.mitre.oval:def:16651
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
      ovaloval:org.mitre.oval:def:11831
    • commentCentOS Linux 4.x
      ovaloval:org.mitre.oval:def:16636
    • commentOracle Linux 4.x
      ovaloval:org.mitre.oval:def:15990
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
      ovaloval:org.mitre.oval:def:11414
    • commentThe operating system installed on the system is CentOS Linux 5.x
      ovaloval:org.mitre.oval:def:15802
    • commentOracle Linux 5.x
      ovaloval:org.mitre.oval:def:15459
    description SNMP authentication via a length value of 1, which only checks the first byte.
    familyunix
    idoval:org.mitre.oval:def:10820
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    title SNMP authentication via a length value of 1, which only checks the first byte.
    version27
  • accepted2010-08-02T04:00:08.371-04:00
    classvulnerability
    contributors
    • nameYuzheng Zhou
      organizationHewlett-Packard
    • nameKASHIF LATIF
      organizationDTCC
    • nameDavid Ries
      organizationJovalCM.com
    descriptionMultiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default in Cisco products. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document. Note: SNMP versions 1, 2 and 2c are not impacted by these vulnerabilities. The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044["http://www.kb.cert.org/vuls/id/878044"] to these vulnerabilities. Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960["http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0960"] has also been assigned to these vulnerabilities. This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080610-snmpv3["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080610-snmpv3"].
    familyios
    idoval:org.mitre.oval:def:5785
    statusaccepted
    submitted2008-05-02T11:06:36.000-04:00
    titleMultiple Cisco Products Simple Network Management Protocol version 3 Hash Message Authentication Code Manipulation Vulnerability
    version7
  • accepted2010-05-17T04:00:16.158-04:00
    classvulnerability
    contributors
    • nameMichael Wood
      organizationHewlett-Packard
    • nameJ. Daniel Brown
      organizationDTCC
    definition_extensions
    • commentVMWare ESX Server 3.0.3 is installed
      ovaloval:org.mitre.oval:def:6026
    • commentVMWare ESX Server 3.0.2 is installed
      ovaloval:org.mitre.oval:def:5613
    • commentVMware ESX Server 3.5.0 is installed
      ovaloval:org.mitre.oval:def:5887
    descriptionSNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) Juniper Session and Resource Control (SRC) C-series 1.0.0 through 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and 7.3RC2; (6) SNMP Research before 16.2; (7) multiple Cisco IOS, CatOS, ACE, and Nexus products; (8) Ingate Firewall 3.1.0 and later and SIParator 3.1.0 and later; (9) HP OpenView SNMP Emanate Master Agent 15.x; and possibly other products relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte.
    familyunix
    idoval:org.mitre.oval:def:6414
    statusaccepted
    submitted2009-09-23T15:39:02.000-04:00
    titleNet-snmp SNMPv3 Authentication Bug Lets Remote Users Bypass Authentication
    version5

Redhat

advisories
  • rhsa
    idRHSA-2008:0528
  • rhsa
    idRHSA-2008:0529
rpms
  • ucd-snmp-0:4.2.5-8.AS21.7
  • ucd-snmp-devel-0:4.2.5-8.AS21.7
  • ucd-snmp-utils-0:4.2.5-8.AS21.7
  • net-snmp-0:5.0.9-2.30E.24
  • net-snmp-0:5.1.2-11.el4_6.11.3
  • net-snmp-1:5.3.1-24.el5_2.1
  • net-snmp-debuginfo-0:5.0.9-2.30E.24
  • net-snmp-debuginfo-0:5.1.2-11.el4_6.11.3
  • net-snmp-debuginfo-1:5.3.1-24.el5_2.1
  • net-snmp-devel-0:5.0.9-2.30E.24
  • net-snmp-devel-0:5.1.2-11.el4_6.11.3
  • net-snmp-devel-1:5.3.1-24.el5_2.1
  • net-snmp-libs-0:5.0.9-2.30E.24
  • net-snmp-libs-0:5.1.2-11.el4_6.11.3
  • net-snmp-libs-1:5.3.1-24.el5_2.1
  • net-snmp-perl-0:5.0.9-2.30E.24
  • net-snmp-perl-0:5.1.2-11.el4_6.11.3
  • net-snmp-perl-1:5.3.1-24.el5_2.1
  • net-snmp-utils-0:5.0.9-2.30E.24
  • net-snmp-utils-0:5.1.2-11.el4_6.11.3
  • net-snmp-utils-1:5.3.1-24.el5_2.1

Seebug

  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 29623 CVE(CAN) ID: CVE-2008-0960 Net-SNMP是一个免费的、开放源码的SNMP实现,以前称为UCD-SNMP。 Net-SNMP处理认证的实现上存在漏洞,远程攻击者可能利用此漏洞绕过认证获取SNMP对象的访问。 Net-SNMP的认证代码依赖于用户输入中所指定的HMAC长度读取所要检查的长度。SNMPv3的认证是使用HMAC实现的,如果用户在认证代码字段中提供了单字节的HMAC代码的话,由于仅会检查第一个字节,因此就会有1/256的概率匹配正确的HMAC并通过认证,这大大的提高了暴力猜测的成功率。这个漏洞允许攻击者读取和修改任何使用登录系统的认证凭据可访问的SNMP对象。 0 Net-SNMP net-snmp 5.4.x Net-SNMP net-snmp 5.3.x Net-SNMP net-snmp 5.2.x 临时解决方法: 在Cisco设备中可应用以下措施: * 部署以下基础架构ACL(iACL) !--- Permit SNMP UDP 161 packets from !--- trusted hosts destined to infrastructure addresses. access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 161 !--- Deny SNMP UDP 161 packets from all !--- other sources destined to infrastructure addresses. access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 161 !--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance !--- with existing security policies and configurations !--- Permit all other traffic to transit the device. access-list 150 permit ip any anyinterface serial 2/0ip access-group 150 in * 部署以下控制面整型(CoPP) !--- Deny SNMP UDP traffic from trusted hosts to all IP addresses !--- configured on all interfaces of the affected device so that !--- it will be allowed by the CoPP feature access-list 111 deny udp host 192.168.100.1 any eq 161 !--- Permit all other SNMP UDP traffic sent to all IP addresses !--- configured on all interfaces of the affected device so that it !--- will be policed and dropped by the CoPP feature access-list 111 permit udp any any eq 161 !--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !--- traffic in accordance with existing security policies and !--- configurations for traffic that is authorized to be sent !--- to infrastructure devices !--- Create a Class-Map for traffic to be policed by !--- the CoPP feature class-map match-all drop-snmpv3-class match access-group 111 !--- Create a Policy-Map that will be applied to the !--- Control-Plane of the device. policy-map drop-snmpv3-traffic class drop-snmpv3-class drop !--- Apply the Policy-Map to the !--- Control-Plane of the device control-plane service-policy input drop-snmpv3-traffic 请注意在Cisco IOS的12.2S和12.0S系列上policy-map句法有所不同: policy-map drop-snmpv3-traffic class drop-snmpv3-class police 32000 1500 1500 conform-action drop exceed-action drop 厂商补丁: Cisco ----- Cisco已经为此发布了一个安全公告(cisco-sa-20080610-snmpv3)以及相应补丁: cisco-sa-20080610-snmpv3:SNMP Version 3 Authentication Vulnerabilities 链接:&lt;a href=http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml target=_blank&gt;http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml&lt;/a&gt; RedHat ------ RedHat已经为此发布了一个安全公告(RHSA-2008:0528-01)以及相应补丁: RHSA-2008:0528-01:Moderate: ucd-snmp security update 链接:&lt;a href=https://www.redhat.com/support/errata/RHSA-2008-0528.html target=_blank&gt;https://www.redhat.com/support/errata/RHSA-2008-0528.html&lt;/a&gt; Net-SNMP -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: &lt;a href=http://sourceforge.net/projects/net-snmp/ target=_blank&gt;http://sourceforge.net/projects/net-snmp/&lt;/a&gt;
    idSSV:3418
    last seen2017-11-19
    modified2008-06-14
    published2008-06-14
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-3418
    titleNet-SNMP远程绕过认证漏洞
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:17266
    last seen2017-11-19
    modified2008-06-12
    published2008-06-12
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-17266
    titleSNMPv3 HMAC validation error Remote Authentication Bypass Exploit

References