Net-SNMP远程绕过认证漏洞

BUGTRAQ ID: 29623
CVE(CAN) ID: CVE-2008-0960

Net-SNMP是一个免费的、开放源码的SNMP实现，以前称为UCD-SNMP。

Net-SNMP处理认证的实现上存在漏洞，远程攻击者可能利用此漏洞绕过认证获取SNMP对象的访问。

Net-SNMP的认证代码依赖于用户输入中所指定的HMAC长度读取所要检查的长度。SNMPv3的认证是使用HMAC实现的，如果用户在认证代码字段中提供了单字节的HMAC代码的话，由于仅会检查第一个字节，因此就会有1/256的概率匹配正确的HMAC并通过认证，这大大的提高了暴力猜测的成功率。这个漏洞允许攻击者读取和修改任何使用登录系统的认证凭据可访问的SNMP对象。
0
Net-SNMP net-snmp 5.4.x
Net-SNMP net-snmp 5.3.x
Net-SNMP net-snmp 5.2.x
临时解决方法：

在Cisco设备中可应用以下措施：

• 部署以下基础架构ACL（iACL）

  !— Permit SNMP UDP 161 packets from
  !— trusted hosts destined to infrastructure addresses.

  access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 161

  !— Deny SNMP UDP 161 packets from all
  !— other sources destined to infrastructure addresses.

  access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 161

  !— Permit/deny all other Layer 3 and Layer 4 traffic in accordance
  !— with existing security policies and configurations
  !— Permit all other traffic to transit the device.

  access-list 150 permit ip any anyinterface serial 2/0ip access-group 150 in

• 部署以下控制面整型（CoPP）

  !— Deny SNMP UDP traffic from trusted hosts to all IP addresses
  !— configured on all interfaces of the affected device so that

  !— it will be allowed by the CoPP feature

  access-list 111 deny udp host 192.168.100.1 any eq 161

  !— Permit all other SNMP UDP traffic sent to all IP addresses
  !— configured on all interfaces of the affected device so that it
  !— will be policed and dropped by the CoPP feature

  access-list 111 permit udp any any eq 161

  !— Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
  !— traffic in accordance with existing security policies and
  !— configurations for traffic that is authorized to be sent
  !— to infrastructure devices

  !— Create a Class-Map for traffic to be policed by
  !— the CoPP feature

  class-map match-all drop-snmpv3-class
  match access-group 111

  !— Create a Policy-Map that will be applied to the
  !— Control-Plane of the device.

  policy-map drop-snmpv3-traffic
  class drop-snmpv3-class
  drop

  !— Apply the Policy-Map to the
  !— Control-Plane of the device

  control-plane
  service-policy input drop-snmpv3-traffic

请注意在Cisco IOS的12.2S和12.0S系列上policy-map句法有所不同：

policy-map drop-snmpv3-traffic
class drop-snmpv3-class
police 32000 1500 1500 conform-action drop exceed-action drop

厂商补丁：

Cisco

Cisco已经为此发布了一个安全公告（cisco-sa-20080610-snmpv3）以及相应补丁:
cisco-sa-20080610-snmpv3：SNMP Version 3 Authentication Vulnerabilities
链接：<a href=http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml target=_blank>http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml&lt;/a&gt;

RedHat

RedHat已经为此发布了一个安全公告（RHSA-2008:0528-01）以及相应补丁:
RHSA-2008:0528-01：Moderate: ucd-snmp security update
链接：<a href=https://www.redhat.com/support/errata/RHSA-2008-0528.html target=_blank>https://www.redhat.com/support/errata/RHSA-2008-0528.html&lt;/a&gt;

Net-SNMP

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

<a href=http://sourceforge.net/projects/net-snmp/ target=_blank>http://sourceforge.net/projects/net-snmp/&lt;/a&gt;