GCN Tech Blog

By GCN Staff

Blog archive

SNMP not bedeviled after all

Last week, we reported of a vulnerability in network equipment that used version 3 of the Simple Network Management Protocol. Perhaps due to our haziness in describing the vulnerability, unsuspecting readers could assume that the fault lied with SNMP itself.

Not true, according to security architect Uri Blumenthal, who sent an e-mail pointing out the possible misunderstanding. Blumenthal co-authored the Internet Society Request For Comments ("SNMPv3 User-based Security Model," RFC 3414) on ensuring message-level security of SNMP.

The vulnerability lies not in SNMP, but rather in poorly-coded implementations of SNMP, he said. To quote Blumenthal's e-mail:


The cause of this vulnerability seems to be a bug in the implementation rather than in the protocol. For the protocols involved, RFC 3414 defines authentication algorithms and procedures, for SNMPv3, and RFC 2104 defines the HMAC [keyed-hash message authentication code] algorithm itself.


RFC 3414 on page 52 clearly specifies that the length of the authenticator tag is 12 octets (96 bits). Probably the vulnerable implementations instead of verifying the length of the received MAC and/or comparing that length with that of the computed one ' they just took the length of the received MAC as correct, and compared that many bytes (e.g. 1) with the computed value.


In other words, if the implementation does not compare its own generated HMAC with what is received (rather than just comparing the number of bytes in both), then the implementation could be circumnavigated.

So again, if you use version 3 of SNMP, check your vendor for updates.

Posted by Joab Jackson on Jun 20, 2008 at 9:39 AM


Featured

  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.