Vulnerabilities > CVE-2008-0960 - Improper Authentication vulnerability in Juniper Session and Resource Control and SRC PE
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) Juniper Session and Resource Control (SRC) C-series 1.0.0 through 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and 7.3RC2; (6) SNMP Research before 16.2; (7) multiple Cisco IOS, CatOS, ACE, and Nexus products; (8) Ingate Firewall 3.1.0 and later and SIParator 3.1.0 and later; (9) HP OpenView SNMP Emanate Master Agent 15.x; and possibly other products relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Authentication Abuse An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Utilizing REST's Trust in the System Resource to Register Man in the Middle This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
- Man in the Middle Attack This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.
Exploit-Db
| description | SNMPv3 HMAC validation error Remote Authentication Bypass Exploit. CVE-2008-0960. Remote exploits for multiple platform |
| file | exploits/multiple/remote/5790.txt |
| id | EDB-ID:5790 |
| last seen | 2016-01-31 |
| modified | 2008-06-12 |
| platform | multiple |
| port | 161 |
| published | 2008-06-12 |
| reporter | Maurizio Agazzini |
| source | https://www.exploit-db.com/download/5790/ |
| title | SNMPv3 - HMAC validation error Remote Authentication Bypass Exploit |
| type | remote |
Nessus
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2008-0529.NASL description Updated net-snmp packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Simple Network Management Protocol (SNMP) is a protocol used for network management. A flaw was found in the way Net-SNMP checked an SNMPv3 packet last seen 2020-06-01 modified 2020-06-02 plugin id 33142 published 2008-06-12 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33142 title CentOS 3 / 4 / 5 : net-snmp (CESA-2008:0529) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2008:0529 and # CentOS Errata and Security Advisory 2008:0529 respectively. # include("compat.inc"); if (description) { script_id(33142); script_version("1.23"); script_cvs_date("Date: 2019/10/25 13:36:04"); script_cve_id("CVE-2008-0960", "CVE-2008-2292"); script_bugtraq_id(29212, 29623); script_xref(name:"RHSA", value:"2008:0529"); script_name(english:"CentOS 3 / 4 / 5 : net-snmp (CESA-2008:0529)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated net-snmp packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Simple Network Management Protocol (SNMP) is a protocol used for network management. A flaw was found in the way Net-SNMP checked an SNMPv3 packet's Keyed-Hash Message Authentication Code (HMAC). An attacker could use this flaw to spoof an authenticated SNMPv3 packet. (CVE-2008-0960) A buffer overflow was found in the Perl bindings for Net-SNMP. This could be exploited if an attacker could convince an application using the Net-SNMP Perl module to connect to a malicious SNMP agent. (CVE-2008-2292) All users of net-snmp should upgrade to these updated packages, which contain backported patches to resolve these issues." ); # https://lists.centos.org/pipermail/centos-announce/2008-June/014970.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6ce0318a" ); # https://lists.centos.org/pipermail/centos-announce/2008-June/014971.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d46f8e65" ); # https://lists.centos.org/pipermail/centos-announce/2008-June/014980.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0b76e169" ); # https://lists.centos.org/pipermail/centos-announce/2008-June/014983.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0ce8c587" ); # https://lists.centos.org/pipermail/centos-announce/2008-June/015014.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9e04fe41" ); # https://lists.centos.org/pipermail/centos-announce/2008-June/015015.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b05a3829" ); # https://lists.centos.org/pipermail/centos-announce/2008-June/015040.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7dcbf0ab" ); # https://lists.centos.org/pipermail/centos-announce/2008-June/015041.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?170e07e5" ); script_set_attribute( attribute:"solution", value:"Update the affected net-snmp packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119, 287); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:net-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:net-snmp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:net-snmp-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:net-snmp-perl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:net-snmp-utils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/05/18"); script_set_attribute(attribute:"patch_publication_date", value:"2008/06/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/06/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^(3|4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x / 5.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-3", reference:"net-snmp-5.0.9-2.30E.24")) flag++; if (rpm_check(release:"CentOS-3", reference:"net-snmp-devel-5.0.9-2.30E.24")) flag++; if (rpm_check(release:"CentOS-3", reference:"net-snmp-libs-5.0.9-2.30E.24")) flag++; if (rpm_check(release:"CentOS-3", reference:"net-snmp-perl-5.0.9-2.30E.24")) flag++; if (rpm_check(release:"CentOS-3", reference:"net-snmp-utils-5.0.9-2.30E.24")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"net-snmp-5.1.2-11.el4_6.11.3")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"net-snmp-5.1.2-11.c4.11.3")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"net-snmp-5.1.2-11.el4_6.11.3")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"net-snmp-devel-5.1.2-11.el4_6.11.3")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"net-snmp-devel-5.1.2-11.c4.11.3")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"net-snmp-devel-5.1.2-11.el4_6.11.3")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"net-snmp-libs-5.1.2-11.el4_6.11.3")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"net-snmp-libs-5.1.2-11.c4.11.3")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"net-snmp-libs-5.1.2-11.el4_6.11.3")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"net-snmp-perl-5.1.2-11.el4_6.11.3")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"net-snmp-perl-5.1.2-11.c4.11.3")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"net-snmp-perl-5.1.2-11.el4_6.11.3")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"net-snmp-utils-5.1.2-11.el4_6.11.3")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"net-snmp-utils-5.1.2-11.c4.11.3")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"net-snmp-utils-5.1.2-11.el4_6.11.3")) flag++; if (rpm_check(release:"CentOS-5", reference:"net-snmp-5.3.1-24.el5_2.1")) flag++; if (rpm_check(release:"CentOS-5", reference:"net-snmp-devel-5.3.1-24.el5_2.1")) flag++; if (rpm_check(release:"CentOS-5", reference:"net-snmp-libs-5.3.1-24.el5_2.1")) flag++; if (rpm_check(release:"CentOS-5", reference:"net-snmp-perl-5.3.1-24.el5_2.1")) flag++; if (rpm_check(release:"CentOS-5", reference:"net-snmp-utils-5.3.1-24.el5_2.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "net-snmp / net-snmp-devel / net-snmp-libs / net-snmp-perl / etc"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1663.NASL description Several vulnerabilities have been discovered in NET SNMP, a suite of Simple Network Management Protocol applications. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-0960 Wes Hardaker reported that the SNMPv3 HMAC verification relies on the client to specify the HMAC length, which allows spoofing of authenticated SNMPv3 packets. - CVE-2008-2292 John Kortink reported a buffer overflow in the __snprint_value function in snmp_get causing a denial of service and potentially allowing the execution of arbitrary code via a large OCTETSTRING in an attribute value pair (AVP). - CVE-2008-4309 It was reported that an integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c allows remote attackers to cause a denial of service attack via a crafted SNMP GETBULK request. last seen 2020-06-01 modified 2020-06-02 plugin id 34720 published 2008-11-09 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/34720 title Debian DSA-1663-1 : net-snmp - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1663. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(34720); script_version("1.22"); script_cvs_date("Date: 2019/08/02 13:32:21"); script_cve_id("CVE-2008-0960", "CVE-2008-2292", "CVE-2008-4309"); script_bugtraq_id(29212, 29623, 32020); script_xref(name:"DSA", value:"1663"); script_name(english:"Debian DSA-1663-1 : net-snmp - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in NET SNMP, a suite of Simple Network Management Protocol applications. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-0960 Wes Hardaker reported that the SNMPv3 HMAC verification relies on the client to specify the HMAC length, which allows spoofing of authenticated SNMPv3 packets. - CVE-2008-2292 John Kortink reported a buffer overflow in the __snprint_value function in snmp_get causing a denial of service and potentially allowing the execution of arbitrary code via a large OCTETSTRING in an attribute value pair (AVP). - CVE-2008-4309 It was reported that an integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c allows remote attackers to cause a denial of service attack via a crafted SNMP GETBULK request." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=485945" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482333" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504150" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-0960" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-2292" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-4309" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2008/dsa-1663" ); script_set_attribute( attribute:"solution", value: "Upgrade the net-snmp package. For the stable distribution (etch), these problems has been fixed in version 5.2.3-7etch4." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(20, 119, 287); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:net-snmp"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2008/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/11/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"libsnmp-base", reference:"5.2.3-7etch4")) flag++; if (deb_check(release:"4.0", prefix:"libsnmp-perl", reference:"5.2.3-7etch4")) flag++; if (deb_check(release:"4.0", prefix:"libsnmp9", reference:"5.2.3-7etch4")) flag++; if (deb_check(release:"4.0", prefix:"libsnmp9-dev", reference:"5.2.3-7etch4")) flag++; if (deb_check(release:"4.0", prefix:"snmp", reference:"5.2.3-7etch4")) flag++; if (deb_check(release:"4.0", prefix:"snmpd", reference:"5.2.3-7etch4")) flag++; if (deb_check(release:"4.0", prefix:"tkmib", reference:"5.2.3-7etch4")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_39887.NASL description s700_800 11.X OV EMANATE15.3 IA-64 Consolidated Patch 6 : A potential vulnerability has been identified with HP OpenView SNMP Emanate Master Agent Running on HP-UX, Linux, Solaris, and Windows. The vulnerability could be exploited remotely to gain unauthorized access. last seen 2020-06-01 modified 2020-06-02 plugin id 47754 published 2010-07-19 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/47754 title HP-UX PHSS_39887 : HP OpenView SNMP Emanate Master Agent Remote Unauthorized Access (HPSBMA02439 SSRT080082 rev.3) code # # (C) Tenable Network Security, Inc. # # The descriptive text and patch checks in this plugin were # extracted from HP patch PHSS_39887. The text itself is # copyright (C) Hewlett-Packard Development Company, L.P. # include("compat.inc"); if (description) { script_id(47754); script_version("1.26"); script_cvs_date("Date: 2018/07/12 19:01:15"); script_cve_id("CVE-2008-0960"); script_bugtraq_id(29623); script_xref(name:"HP", value:"emr_na-c01757418"); script_xref(name:"HP", value:"SSRT080082"); script_name(english:"HP-UX PHSS_39887 : HP OpenView SNMP Emanate Master Agent Remote Unauthorized Access (HPSBMA02439 SSRT080082 rev.3)"); script_summary(english:"Checks for the patch in the swlist output"); script_set_attribute( attribute:"synopsis", value:"The remote HP-UX host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "s700_800 11.X OV EMANATE15.3 IA-64 Consolidated Patch 6 : A potential vulnerability has been identified with HP OpenView SNMP Emanate Master Agent Running on HP-UX, Linux, Solaris, and Windows. The vulnerability could be exploited remotely to gain unauthorized access." ); # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01757418 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5cc54a7f" ); script_set_attribute( attribute:"solution", value:"Install patch PHSS_39887 or subsequent." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(287); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux"); script_set_attribute(attribute:"patch_publication_date", value:"2009/08/21"); script_set_attribute(attribute:"patch_modification_date", value:"2010/07/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/07/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_family(english:"HP-UX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("hpux.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX"); if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING); if (!hpux_check_ctx(ctx:"11.23 11.31", proc:"ia64")) { exit(0, "The host is not affected since PHSS_39887 applies to a different OS release / architecture."); } patches = make_list("PHSS_39887", "PHSS_41033", "PHSS_41557", "PHSS_42776", "PHSS_43175", "PHSS_43647", "PHSS_43818", "PHSS_44265"); foreach patch (patches) { if (hpux_installed(app:patch)) { exit(0, "The host is not affected because patch "+patch+" is installed."); } } flag = 0; if (hpux_check_patch(app:"OVSNMPAgent.MASTER", version:"B.11.23")) flag++; if (hpux_check_patch(app:"OVSNMPAgent.MASTER", version:"B.11.23.01")) flag++; if (hpux_check_patch(app:"OVSNMPAgent.MASTER", version:"B.11.31")) flag++; if (hpux_check_patch(app:"OVSNMPAgent.MASTER", version:"B.11.31.01")) flag++; if (hpux_check_patch(app:"OVSNMPAgent.SNMP-ENG-A-MAN", version:"B.11.23")) flag++; if (hpux_check_patch(app:"OVSNMPAgent.SNMP-ENG-A-MAN", version:"B.11.23.01")) flag++; if (hpux_check_patch(app:"OVSNMPAgent.SNMP-ENG-A-MAN", version:"B.11.31")) flag++; if (hpux_check_patch(app:"OVSNMPAgent.SNMP-ENG-A-MAN", version:"B.11.31.01")) flag++; if (hpux_check_patch(app:"OVSNMPAgent.SUBAGT-HPUNIX", version:"B.11.23")) flag++; if (hpux_check_patch(app:"OVSNMPAgent.SUBAGT-HPUNIX", version:"B.11.23.01")) flag++; if (hpux_check_patch(app:"OVSNMPAgent.SUBAGT-HPUNIX", version:"B.11.31")) flag++; if (hpux_check_patch(app:"OVSNMPAgent.SUBAGT-HPUNIX", version:"B.11.31.01")) flag++; if (hpux_check_patch(app:"OVSNMPAgent.SUBAGT-MIB2", version:"B.11.23")) flag++; if (hpux_check_patch(app:"OVSNMPAgent.SUBAGT-MIB2", version:"B.11.23.01")) flag++; if (hpux_check_patch(app:"OVSNMPAgent.SUBAGT-MIB2", version:"B.11.31")) flag++; if (hpux_check_patch(app:"OVSNMPAgent.SUBAGT-MIB2", version:"B.11.31.01")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2008-5215.NASL description - Tue Jun 10 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-18 - explicitly require lm_sensor > 3 for build (#442718) - fix various flaws (CVE-2008-2292 CVE-2008-0960) - Sat May 31 2008 Dennis Gilmore <dennis at ausil.us> 5.4.1-17 - fix sparc handling in /usr/bin/net-snmp-config - Thu May 29 2008 Dennis Gilmore <dennis at ausil.us> 5.4.1-16 - fix /usr/include/net-snmp-config.h for sparc - Sun May 25 2008 Dennis Gilmore <dennis at ausil.us> 5.4.1-15 - sparc multilib handling Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 33146 published 2008-06-12 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33146 title Fedora 9 : net-snmp-5.4.1-18.fc9 (2008-5215) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2008-0529.NASL description From Red Hat Security Advisory 2008:0529 : Updated net-snmp packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Simple Network Management Protocol (SNMP) is a protocol used for network management. A flaw was found in the way Net-SNMP checked an SNMPv3 packet last seen 2020-06-01 modified 2020-06-02 plugin id 67708 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67708 title Oracle Linux 3 / 4 / 5 : net-snmp (ELSA-2008-0529) NASL family Fedora Local Security Checks NASL id FEDORA_2008-9362.NASL description - Mon Jun 23 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-8 - explicitly require the right version and release of net-snmp and net-snmp-libs (#451225) - fix CVE-2008-4309 - Tue Jun 10 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-7 - fix various flaws (CVE-2008-2292 CVE-2008-0960) - Thu Feb 14 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-6 - fixing ipNetToMediaNetAddress to show IP address (#432780) - Thu Nov 15 2007 Jan Safranek <jsafranek at redhat.com> 5.4.1-5 - added procps to build dependencies (#380321) - fix crash on reading xen interfaces (#386611) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 34703 published 2008-11-06 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/34703 title Fedora 8 : net-snmp-5.4.1-8.fc8 (2008-9362) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0017_NET-SNMP.NASL description The remote NewStart CGSL host, running version MAIN 5.04, has net-snmp packages installed that are affected by multiple vulnerabilities: - SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) Juniper Session and Resource Control (SRC) C-series 1.0.0 through 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and 7.3RC2; (6) SNMP Research before 16.2; (7) multiple Cisco IOS, CatOS, ACE, and Nexus products; (8) Ingate Firewall 3.1.0 and later and SIParator 3.1.0 and later; (9) HP OpenView SNMP Emanate Master Agent 15.x; and possibly other products relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte. (CVE-2008-0960) - Buffer overflow in the __snprint_value function in snmp_get in Net-SNMP 5.1.4, 5.2.4, and 5.4.1, as used in SNMP.xs for Perl, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large OCTETSTRING in an attribute value pair (AVP). (CVE-2008-2292) - Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats. (CVE-2008-4309) - The netsnmp_udp_fmtaddr function (snmplib/snmpUDPDomain.c) in net-snmp 5.0.9 through 5.4.2.1, when using TCP wrappers for client authorization, does not properly parse hosts.allow rules, which allows remote attackers to bypass intended access restrictions and execute SNMP queries, related to source/destination IP address confusion. (CVE-2008-6123) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127171 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127171 title NewStart CGSL MAIN 5.04 : net-snmp Multiple Vulnerabilities (NS-SA-2019-0017) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2008-0017.NASL description a. Updated ESX Service Console package libxml2 A denial of service flaw was found in the way libxml2 processes certain content. If an application that is linked against libxml2 processes malformed XML content, the XML content might cause the application to stop responding. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-3281 to this issue. Additionally the following was also fixed, but was missing in the security advisory. A heap-based buffer overflow flaw was found in the way libxml2 handled long XML entity names. If an application linked against libxml2 processed untrusted malformed XML content, it could cause the application to crash or, possibly, execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-3529 to this issue. b. Updated ESX Service Console package ucd-snmp A flaw was found in the way ucd-snmp checks an SNMPv3 packet last seen 2020-06-01 modified 2020-06-02 plugin id 40384 published 2009-07-27 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40384 title VMSA-2008-0017 : Updated ESX packages for libxml2, ucd-snmp, libtiff NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0528.NASL description Updated ucd-snmp packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Simple Network Management Protocol (SNMP) is a protocol used for network management. A flaw was found in the way ucd-snmp checked an SNMPv3 packet last seen 2020-06-01 modified 2020-06-02 plugin id 33156 published 2008-06-12 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33156 title RHEL 2.1 : ucd-snmp (RHSA-2008:0528) NASL family CISCO NASL id CISCO-SA-20080610-SNMPV3-IOSXR.NASL description Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. The vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default in Cisco products. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document. Note: SNMP versions 1, 2 and 2c are not impacted by these vulnerabilities. The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044. last seen 2019-10-28 modified 2013-12-14 plugin id 71433 published 2013-12-14 reporter This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71433 title SNMP Version 3 Authentication Vulnerabilities (cisco-sa-20080610-snmpv3) NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL8939.NASL description SNMPv3 HMAC verification relies on the client to specify the HMAC length. This flexibility allows remote attackers to bypass SNMP authentication by specifying a length value of 1 , which only checks the first byte. last seen 2020-06-01 modified 2020-06-02 plugin id 78225 published 2014-10-10 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78225 title F5 Networks BIG-IP : SNMPv3 HMAC verification vulnerability (SOL8939) NASL family Solaris Local Security Checks NASL id SOLARIS10_120272.NASL description SunOS 5.10: SMA patch. Date this patch was last updated by Sun : May/11/17 This plugin has been deprecated and either replaced with individual 120272 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 25272 published 2007-05-20 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=25272 title Solaris 10 (sparc) : 120272-40 (deprecated) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-685-1.NASL description Wes Hardaker discovered that the SNMP service did not correctly validate HMAC authentication requests. An unauthenticated remote attacker could send specially crafted SNMPv3 traffic with a valid username and gain access to the user last seen 2020-06-01 modified 2020-06-02 plugin id 38099 published 2009-04-23 reporter Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38099 title Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : net-snmp vulnerabilities (USN-685-1) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-118.NASL description A vulnerability was found in how Net-SNMP checked an SNMPv3 packet last seen 2020-06-01 modified 2020-06-02 plugin id 37050 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37050 title Mandriva Linux Security Advisory : net-snmp (MDVSA-2008:118) NASL family SuSE Local Security Checks NASL id SUSE9_12204.NASL description This security update of net-snmp fixes a denial of service vulnerability (CVE-2008-2292), an authentication bypass (CVE-2008-0960) and several memory leaks. In addition net-snmp was patched to allow customization of the agent address set. last seen 2020-06-01 modified 2020-06-02 plugin id 41223 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41223 title SuSE9 Security Update : net-snmp (YOU Patch Number 12204) NASL family Fedora Local Security Checks NASL id FEDORA_2008-5224.NASL description - Tue Jun 10 2008 Jan Safranek <jsafranek at redhat.com> 5.4-18 - fix various flaws (CVE-2008-2292 CVE-2008-0960) - Thu Feb 14 2008 Jan Safranek <jsafranek at redhat.com> 5.4-17 - fixing ipNetToMediaNetAddress to show IP address (#432780) - Fri Oct 19 2007 Jan Safranek <jsafranek at redhat.com> 5.4-16 - License: field fixed to last seen 2020-06-01 modified 2020-06-02 plugin id 33148 published 2008-06-12 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33148 title Fedora 7 : net-snmp-5.4-18.fc7 (2008-5224) NASL family CISCO NASL id CISCO-SA-20080610-SNMPV3HTTP.NASL description Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default in Cisco products. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document. Note: SNMP versions 1, 2 and 2c are not impacted by these vulnerabilities. The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044. last seen 2019-10-28 modified 2010-09-01 plugin id 49016 published 2010-09-01 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49016 title SNMP Version 3 Authentication Vulnerabilities (cisco-sa-20080610-snmpv3) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2008-0013.NASL description I Security Issues a. OpenSSL Binaries Updated This fix updates the third-party OpenSSL library. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-3108 and CVE-2007-5135 to the issues addressed by this update. II Service Console rpm updates a. net-snmp Security update This fix upgrades the service console rpm for net-snmp to version net-snmp-5.0.9-2.30E.24. Note: this update is relevant for ESX 3.0.3. The initial advisory incorrectly stated that this update was present in ESX 3.0.3 when it was released on August 8, 2008. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-2292 and CVE-2008-0960 to the issues addressed in net-snmp-5.0.9-2.30E.24. b. perl Security update This fix upgrades the service console rpm for perl to version perl-5.8.0-98.EL3. Note: this update is relevant for ESX 3.0.3. The initial advisory incorrectly stated that this update was present in ESX 3.0.3 when it was released on August 8, 2008. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-1927 to the issue addressed in perl-5.8.0-98.EL3. last seen 2020-06-01 modified 2020-06-02 plugin id 40381 published 2009-07-27 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40381 title VMSA-2008-0013 : Updated ESX packages for OpenSSL, net-snmp, perl NASL family SuSE Local Security Checks NASL id SUSE_11_0_LIBSNMP15-080706.NASL description This security update fixes a denial of service vulnerability and an authentication bypass (CVE-2008-2292, CVE-2008-0960). last seen 2020-06-01 modified 2020-06-02 plugin id 40045 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40045 title openSUSE Security Update : libsnmp15 (libsnmp15-87) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0529.NASL description Updated net-snmp packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Simple Network Management Protocol (SNMP) is a protocol used for network management. A flaw was found in the way Net-SNMP checked an SNMPv3 packet last seen 2020-06-01 modified 2020-06-02 plugin id 33157 published 2008-06-12 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33157 title RHEL 3 / 4 / 5 : net-snmp (RHSA-2008:0529) NASL family Fedora Local Security Checks NASL id FEDORA_2008-5218.NASL description - Tue Jun 10 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-7 - fix various flaws (CVE-2008-2292 CVE-2008-0960) - Thu Feb 14 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-6 - fixing ipNetToMediaNetAddress to show IP address (#432780) - Thu Nov 15 2007 Jan Safranek <jsafranek at redhat.com> 5.4.1-5 - added procps to build dependencies (#380321) - fix crash on reading xen interfaces (#386611) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 33147 published 2008-06-12 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33147 title Fedora 8 : net-snmp-5.4.1-7.fc8 (2008-5218) NASL family Solaris Local Security Checks NASL id SOLARIS10_120272-31.NASL description SunOS 5.10: SMA patch. Date this patch was last updated by Sun : Jun/30/11 last seen 2020-06-01 modified 2020-06-02 plugin id 107359 published 2018-03-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107359 title Solaris 10 (sparc) : 120272-31 NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2008-210-07.NASL description New net-snmp packages are available for Slackware 12.0, 12.1, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 33752 published 2008-07-29 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33752 title Slackware 12.0 / 12.1 / current : net-snmp (SSA:2008-210-07) NASL family SNMP NASL id SNMPV3_AUTHENTICATION_BYPASS.NASL description SNMPv3 HMAC verification relies on the client to specify the HMAC length. This makes it possible for remote attackers to bypass SNMP authentication via repeated attempts with a HMAC length value of 1, which causes only the first byte of the authentication hash to be checked. This issue affects SNMP implementations from multiple vendors. last seen 2020-06-01 modified 2020-06-02 plugin id 40449 published 2009-07-31 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40449 title Multiple Vendor HMAC Authentication SNMPv3 Authentication Bypass NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_39886.NASL description s700_800 11.X OV EMANATE15.3 PA-RISC Consolidated Patch 6 : A potential vulnerability has been identified with HP OpenView SNMP Emanate Master Agent Running on HP-UX, Linux, Solaris, and Windows. The vulnerability could be exploited remotely to gain unauthorized access. last seen 2020-06-01 modified 2020-06-02 plugin id 47753 published 2010-07-19 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/47753 title HP-UX PHSS_39886 : HP OpenView SNMP Emanate Master Agent Remote Unauthorized Access (HPSBMA02439 SSRT080082 rev.3) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200808-02.NASL description The remote host is affected by the vulnerability described in GLSA-200808-02 (Net-SNMP: Multiple vulnerabilities) Wes Hardaker reported that the SNMPv3 HMAC verification relies on the client to specify the HMAC length (CVE-2008-0960). John Kortink reported a buffer overflow in the Perl bindings of Net-SNMP when processing the OCTETSTRING in an attribute value pair (AVP) received by an SNMP agent (CVE-2008-2292). Impact : An attacker could send SNMPv3 packets to an instance of snmpd providing a valid user name and an HMAC length value of 1, and easily conduct brute-force attacks to bypass SNMP authentication. An attacker could further entice a user to connect to a malicious SNMP agent with an SNMP client using the Perl bindings, possibly resulting in the execution of arbitrary code. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 33832 published 2008-08-07 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33832 title GLSA-200808-02 : Net-SNMP: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_NET-SNMP-5422.NASL description This security update of net-snmp fixes a denial of service vulnerability (CVE-2008-2292), an authentication bypass (CVE-2008-0960) and several memory leaks. In addition net-snmp was patched to allow customization of the agent address set. last seen 2020-06-01 modified 2020-06-02 plugin id 33787 published 2008-08-01 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33787 title SuSE 10 Security Update : net-snmp (ZYPP Patch Number 5422) NASL family Scientific Linux Local Security Checks NASL id SL_20080610_NET_SNMP_ON_SL3_X.NASL description A flaw was found in the way Net-SNMP checked an SNMPv3 packet last seen 2020-06-01 modified 2020-06-02 plugin id 60419 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60419 title Scientific Linux Security Update : net-snmp on SL3.x, SL4.x, SL5.x i386/x86_64 NASL family MacOS X Local Security Checks NASL id MACOSX_10_5_4.NASL description The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.4. Mac OS X 10.5.4 contains security fixes for multiple components. last seen 2020-06-01 modified 2020-06-02 plugin id 33281 published 2008-07-01 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33281 title Mac OS X 10.5.x < 10.5.4 Multiple Vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2008-9367.NASL description - Tue Jul 22 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-19 - fix perl SNMP::Session::set (#452131) - support interface names longer than 8 characters (#468045) - explicitly require the right version and release of net-snmp and net-snmp-libs - fix CVE-2008-4309 - Tue Jun 10 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-18 - explicitly require lm_sensor > 3 for build (#442718) - fix various flaws (CVE-2008-2292 CVE-2008-0960) - Sat May 31 2008 Dennis Gilmore <dennis at ausil.us> 5.4.1-17 - fix sparc handling in /usr/bin/net-snmp-config - Thu May 29 2008 Dennis Gilmore <dennis at ausil.us> 5.4.1-16 - fix /usr/include/net-snmp-config.h for sparc - Sun May 25 2008 Dennis Gilmore <dennis at ausil.us> 5.4.1-15 - sparc multilib handling Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 34704 published 2008-11-06 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/34704 title Fedora 9 : net-snmp-5.4.1-19.fc9 (2008-9367) NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_120273.NASL description SunOS 5.10_x86: SMA patch. Date this patch was last updated by Sun : May/11/17 This plugin has been deprecated and either replaced with individual 120273 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 25391 published 2007-06-04 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=25391 title Solaris 10 (x86) : 120273-42 (deprecated) NASL family SuSE Local Security Checks NASL id SUSE_LIBSNMP15-5418.NASL description This security update fixes a denial of service vulnerability and an authentication bypass (CVE-2008-2292, CVE-2008-0960). last seen 2020-06-01 modified 2020-06-02 plugin id 33786 published 2008-08-01 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33786 title openSUSE 10 Security Update : libsnmp15 (libsnmp15-5418) NASL family CISCO NASL id CISCO-SA-20080610-SNMPV3-NXOS.NASL description Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default in Cisco products. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document. Note: SNMP versions 1, 2 and 2c are not impacted by these vulnerabilities. The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044. last seen 2020-06-01 modified 2020-06-02 plugin id 66697 published 2013-05-31 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66697 title SNMP Version 3 Authentication Bypass Vulnerabilities (cisco-sa-20080610-snmpv3) NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_120273-33.NASL description SunOS 5.10_x86: SMA patch. Date this patch was last updated by Sun : Jun/29/11 last seen 2020-06-01 modified 2020-06-02 plugin id 107861 published 2018-03-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107861 title Solaris 10 (x86) : 120273-33 NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2008-004.NASL description The remote host is running a version of Mac OS X 10.4 that does not have the security update 2008-004 applied. This update contains security fixes for a number of programs. last seen 2020-06-01 modified 2020-06-02 plugin id 33282 published 2008-07-01 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33282 title Mac OS X Multiple Vulnerabilities (Security Update 2008-004)
Oval
accepted 2013-04-29T04:09:04.048-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651 comment The operating system installed on the system is Red Hat Enterprise Linux 4 oval oval:org.mitre.oval:def:11831 comment CentOS Linux 4.x oval oval:org.mitre.oval:def:16636 comment Oracle Linux 4.x oval oval:org.mitre.oval:def:15990 comment The operating system installed on the system is Red Hat Enterprise Linux 5 oval oval:org.mitre.oval:def:11414 comment The operating system installed on the system is CentOS Linux 5.x oval oval:org.mitre.oval:def:15802 comment Oracle Linux 5.x oval oval:org.mitre.oval:def:15459
description SNMP authentication via a length value of 1, which only checks the first byte. family unix id oval:org.mitre.oval:def:10820 status accepted submitted 2010-07-09T03:56:16-04:00 title SNMP authentication via a length value of 1, which only checks the first byte. version 27 accepted 2010-08-02T04:00:08.371-04:00 class vulnerability contributors name Yuzheng Zhou organization Hewlett-Packard name KASHIF LATIF organization DTCC name David Ries organization JovalCM.com
description Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default in Cisco products. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document. Note: SNMP versions 1, 2 and 2c are not impacted by these vulnerabilities. The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044["http://www.kb.cert.org/vuls/id/878044"] to these vulnerabilities. Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960["http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0960"] has also been assigned to these vulnerabilities. This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080610-snmpv3["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080610-snmpv3"]. family ios id oval:org.mitre.oval:def:5785 status accepted submitted 2008-05-02T11:06:36.000-04:00 title Multiple Cisco Products Simple Network Management Protocol version 3 Hash Message Authentication Code Manipulation Vulnerability version 7 accepted 2010-05-17T04:00:16.158-04:00 class vulnerability contributors name Michael Wood organization Hewlett-Packard name J. Daniel Brown organization DTCC
definition_extensions comment VMWare ESX Server 3.0.3 is installed oval oval:org.mitre.oval:def:6026 comment VMWare ESX Server 3.0.2 is installed oval oval:org.mitre.oval:def:5613 comment VMware ESX Server 3.5.0 is installed oval oval:org.mitre.oval:def:5887
description SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) Juniper Session and Resource Control (SRC) C-series 1.0.0 through 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and 7.3RC2; (6) SNMP Research before 16.2; (7) multiple Cisco IOS, CatOS, ACE, and Nexus products; (8) Ingate Firewall 3.1.0 and later and SIParator 3.1.0 and later; (9) HP OpenView SNMP Emanate Master Agent 15.x; and possibly other products relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte. family unix id oval:org.mitre.oval:def:6414 status accepted submitted 2009-09-23T15:39:02.000-04:00 title Net-snmp SNMPv3 Authentication Bug Lets Remote Users Bypass Authentication version 5
Redhat
| advisories |
| ||||||||
| rpms |
|
Seebug
bulletinFamily exploit description BUGTRAQ ID: 29623 CVE(CAN) ID: CVE-2008-0960 Net-SNMP是一个免费的、开放源码的SNMP实现,以前称为UCD-SNMP。 Net-SNMP处理认证的实现上存在漏洞,远程攻击者可能利用此漏洞绕过认证获取SNMP对象的访问。 Net-SNMP的认证代码依赖于用户输入中所指定的HMAC长度读取所要检查的长度。SNMPv3的认证是使用HMAC实现的,如果用户在认证代码字段中提供了单字节的HMAC代码的话,由于仅会检查第一个字节,因此就会有1/256的概率匹配正确的HMAC并通过认证,这大大的提高了暴力猜测的成功率。这个漏洞允许攻击者读取和修改任何使用登录系统的认证凭据可访问的SNMP对象。 0 Net-SNMP net-snmp 5.4.x Net-SNMP net-snmp 5.3.x Net-SNMP net-snmp 5.2.x 临时解决方法: 在Cisco设备中可应用以下措施: * 部署以下基础架构ACL(iACL) !--- Permit SNMP UDP 161 packets from !--- trusted hosts destined to infrastructure addresses. access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 161 !--- Deny SNMP UDP 161 packets from all !--- other sources destined to infrastructure addresses. access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 161 !--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance !--- with existing security policies and configurations !--- Permit all other traffic to transit the device. access-list 150 permit ip any anyinterface serial 2/0ip access-group 150 in * 部署以下控制面整型(CoPP) !--- Deny SNMP UDP traffic from trusted hosts to all IP addresses !--- configured on all interfaces of the affected device so that !--- it will be allowed by the CoPP feature access-list 111 deny udp host 192.168.100.1 any eq 161 !--- Permit all other SNMP UDP traffic sent to all IP addresses !--- configured on all interfaces of the affected device so that it !--- will be policed and dropped by the CoPP feature access-list 111 permit udp any any eq 161 !--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !--- traffic in accordance with existing security policies and !--- configurations for traffic that is authorized to be sent !--- to infrastructure devices !--- Create a Class-Map for traffic to be policed by !--- the CoPP feature class-map match-all drop-snmpv3-class match access-group 111 !--- Create a Policy-Map that will be applied to the !--- Control-Plane of the device. policy-map drop-snmpv3-traffic class drop-snmpv3-class drop !--- Apply the Policy-Map to the !--- Control-Plane of the device control-plane service-policy input drop-snmpv3-traffic 请注意在Cisco IOS的12.2S和12.0S系列上policy-map句法有所不同: policy-map drop-snmpv3-traffic class drop-snmpv3-class police 32000 1500 1500 conform-action drop exceed-action drop 厂商补丁: Cisco ----- Cisco已经为此发布了一个安全公告(cisco-sa-20080610-snmpv3)以及相应补丁: cisco-sa-20080610-snmpv3:SNMP Version 3 Authentication Vulnerabilities 链接:<a href=http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml target=_blank>http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml</a> RedHat ------ RedHat已经为此发布了一个安全公告(RHSA-2008:0528-01)以及相应补丁: RHSA-2008:0528-01:Moderate: ucd-snmp security update 链接:<a href=https://www.redhat.com/support/errata/RHSA-2008-0528.html target=_blank>https://www.redhat.com/support/errata/RHSA-2008-0528.html</a> Net-SNMP -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://sourceforge.net/projects/net-snmp/ target=_blank>http://sourceforge.net/projects/net-snmp/</a> id SSV:3418 last seen 2017-11-19 modified 2008-06-14 published 2008-06-14 reporter Root source https://www.seebug.org/vuldb/ssvid-3418 title Net-SNMP远程绕过认证漏洞 bulletinFamily exploit description No description provided by source. id SSV:17266 last seen 2017-11-19 modified 2008-06-12 published 2008-06-12 reporter Root source https://www.seebug.org/vuldb/ssvid-17266 title SNMPv3 HMAC validation error Remote Authentication Bypass Exploit
References
- http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html
- http://lists.ingate.com/pipermail/productinfo/2008/000021.html
- http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00000.html
- http://marc.info/?l=bugtraq&m=127730470825399&w=2
- http://rhn.redhat.com/errata/RHSA-2008-0528.html
- http://secunia.com/advisories/30574
- http://secunia.com/advisories/30596
- http://secunia.com/advisories/30612
- http://secunia.com/advisories/30615
- http://secunia.com/advisories/30626
- http://secunia.com/advisories/30647
- http://secunia.com/advisories/30648
- http://secunia.com/advisories/30665
- http://secunia.com/advisories/30802
- http://secunia.com/advisories/31334
- http://secunia.com/advisories/31351
- http://secunia.com/advisories/31467
- http://secunia.com/advisories/31568
- http://secunia.com/advisories/32664
- http://secunia.com/advisories/33003
- http://secunia.com/advisories/35463
- http://security.gentoo.org/glsa/glsa-200808-02.xml
- http://securityreason.com/securityalert/3933
- http://sourceforge.net/forum/forum.php?forum_id=833770
- http://sourceforge.net/tracker/index.php?func=detail&aid=1989089&group_id=12694&atid=456380
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-238865-1
- http://support.apple.com/kb/HT2163
- http://support.avaya.com/elmodocs2/security/ASA-2008-282.htm
- http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml
- http://www.debian.org/security/2008/dsa-1663
- http://www.kb.cert.org/vuls/id/878044
- http://www.kb.cert.org/vuls/id/CTAR-7FBS8Q
- http://www.kb.cert.org/vuls/id/MIMG-7ETS5Z
- http://www.kb.cert.org/vuls/id/MIMG-7ETS87
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:118
- http://www.ocert.org/advisories/ocert-2008-006.html
- http://www.openwall.com/lists/oss-security/2008/06/09/1
- http://www.redhat.com/support/errata/RHSA-2008-0529.html
- http://www.securityfocus.com/archive/1/493218/100/0/threaded
- http://www.securityfocus.com/archive/1/497962/100/0/threaded
- http://www.securityfocus.com/bid/29623
- http://www.securitytracker.com/id?1020218
- http://www.ubuntu.com/usn/usn-685-1
- http://www.us-cert.gov/cas/techalerts/TA08-162A.html
- http://www.vmware.com/security/advisories/VMSA-2008-0013.html
- http://www.vmware.com/security/advisories/VMSA-2008-0017.html
- http://www.vupen.com/english/advisories/2008/1787/references
- http://www.vupen.com/english/advisories/2008/1788/references
- http://www.vupen.com/english/advisories/2008/1797/references
- http://www.vupen.com/english/advisories/2008/1800/references
- http://www.vupen.com/english/advisories/2008/1801/references
- http://www.vupen.com/english/advisories/2008/1836/references
- http://www.vupen.com/english/advisories/2008/1981/references
- http://www.vupen.com/english/advisories/2008/2361
- http://www.vupen.com/english/advisories/2008/2971
- http://www.vupen.com/english/advisories/2009/1612
- https://bugzilla.redhat.com/show_bug.cgi?id=447974
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10820
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5785
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6414
- https://www.exploit-db.com/exploits/5790
- https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00363.html
- https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00380.html
- https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00459.html