This is the mail archive of the
ecos-patches@sourceware.org
mailing list for the eCos project.
Fix SNMP vulnerability (CERT/CC VU#481564)
- From: Jonathan Larmour <jifl at eCosCentric dot com>
- To: eCos Patches List <ecos-patches at ecos dot sourceware dot org>
- Date: Wed, 11 Jun 2008 14:13:43 +0100
- Subject: Fix SNMP vulnerability (CERT/CC VU#481564)
- Openpgp: id=A5FB74E6
I've applied the attached patch which fixes the below vulnerability:
-=-=-=-=-=-=-=-=-=-
oCERT has been contacted today (6 June 2008) by CERT/CC regarding a
vulnerability affecting SNMP implementations.
[snip]
The vulnerability has been assigned CVE-2008-0960, and it is being tracked
by CERT/CC as VU#481564.
[snip]
The issue is known to affect Net-SNMP and UCD-SNMP. No versions have been
specified. Other SNMP implementations may also be affected.
[snip]
According to net-snmp project:
"The quick technical summary is that the SNMPv3 packet contains a
truncated HMAC authentication code. The author that wrote the code
very very long ago to check that HMAC code used the length of the
packet's version of the HMAC code to do the check. Thus if you send a
single byte HMAC code, it'll only check it against the first byte of
HMAC output. Thus it's fairly easy to spoof an authenticated SNMPv3
packet.
-=-=-=-=-=-=-=-=-=-
Jifl
--
eCosCentric Limited http://www.eCosCentric.com/ The eCos experts
Barnwell House, Barnwell Drive, Cambridge, UK. Tel: +44 1223 245571
Registered in England and Wales: Reg No 4422071.
------["Si fractum non sit, noli id reficere"]------ Opinions==mine
Index: ChangeLog
===================================================================
RCS file: /cvs/ecos/ecos-opt/snmp/lib/current/ChangeLog,v
retrieving revision 1.14
diff -u -5 -p -r1.14 ChangeLog
--- ChangeLog 27 Jul 2006 12:00:04 -0000 1.14
+++ ChangeLog 11 Jun 2008 13:12:34 -0000
@@ -1,5 +1,9 @@
+2008-06-11 Jonathan Larmour <jifl@eCosCentric.com>
+
+ * src/scapi.c: Fix CVE-2008-0960 (CERT/CC VU#481564).
+
2006-07-27 Jonathan Larmour <jifl@eCosCentric.com>
* include/config.h (HAVE_GETTIMEOFDAY): Add missing hash (reported
by Richard Jennings).
Index: src/scapi.c
===================================================================
RCS file: /cvs/ecos/ecos-opt/snmp/lib/current/src/scapi.c,v
retrieving revision 1.4
diff -u -5 -p -r1.4 scapi.c
--- src/scapi.c 3 Feb 2003 16:34:47 -0000 1.4
+++ src/scapi.c 11 Jun 2008 13:12:35 -0000
@@ -519,10 +519,14 @@ sc_check_keyed_hash( oid *authtype, size
{
QUITFUN(SNMPERR_GENERR, sc_check_keyed_hash_quit);
}
+ if (maclen != USM_MD5_AND_SHA_AUTH_LEN) {
+ QUITFUN(SNMPERR_GENERR, sc_check_keyed_hash_quit);
+ }
+
/*
* Generate a full hash of the message, then compare
* the result with the given MAC which may shorter than
* the full hash length.
*/