Ubuntu
net-snmp package

[CVE-2008-0960] Multiple SNMP implementations HMAC authentication spoofing

Bug #239129 reported by Till Ulen
254
Affects Status Importance Assigned to Milestone
ecos (Ubuntu)
Invalid
Undecided
Unassigned
Dapper
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
Intrepid
Invalid
Undecided
Unassigned
Jaunty
Invalid
Undecided
Unassigned
net-snmp (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Fix Released
Medium
Kees Cook
Feisty
Won't Fix
Medium
Unassigned
Gutsy
Fix Released
Medium
Kees Cook
Hardy
Fix Released
Medium
Kees Cook
Intrepid
Fix Released
Medium
Kees Cook
Jaunty
Fix Released
Undecided
Unassigned
ucd-snmp (Ubuntu)
Invalid
Undecided
Unassigned
Dapper
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Invalid
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
Intrepid
Invalid
Undecided
Unassigned
Jaunty
Invalid
Undecided
Unassigned

Bug Description

CVE-2008-0960 description:

"Some SNMP implementations include incomplete HMAC authentication code that allows spoofing of authenticated SNMPv3 packets.

The authentication code reads the length to be checked from sender input, this allows the sender to supply single byte HMAC code and have a 1 in 256 chance of matching the correct HMAC and authenticating, as only the first byte will be checked. The sender would need to know a valid username.

Currently Net-SNMP and UCD-SNMP are known to be vulnerable, other SNMP implementations may also be affected. The eCos project includes code derived from UCD-SNMP and is therefore also affected."

http://www.ocert.org/advisories/ocert-2008-006.html

See also:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0960
http://www.kb.cert.org/vuls/id/878044

CVE References

Revision history for this message
Till Ulen (tillulen) wrote :

A tool to exploit this vulnerability has been published on Bugtraq:
http://www.securityfocus.com/archive/1/493304/30/0/threaded

Revision history for this message
Till Ulen (tillulen) wrote :

A fix for net-snmp is in Intrepid:

net-snmp (5.4.1~dfsg-7.1ubuntu2) intrepid; urgency=low

  * SECURITY UPDATE: HMAC authentication spoofing.
  * debian/patches/51_CVE-2008-0960.patch: fixes HMAC authentication spoofing.
  * debian/patches/52_use_right_config_file.patch: Use the right configuration
    file for lmsensors. (LP: #192745)

 -- Chuck Short < <email address hidden>> Mon, 16 Jun 2008 15:47:18 +0000

I intended to nominate this bug for the Dapper-Hardy releases only in net-snmp but I now can't figure out how to remove the nominations from ecos and ucd-snmp.

Changed in net-snmp:
status: New → Fix Released
Revision history for this message
Nicolas Valcarcel (nvalcarcel) wrote :

Patch attached to Bug #241892

Revision history for this message
Kees Cook (kees) wrote :

Feisty is EOL

Changed in net-snmp:
status: New → Won't Fix
Revision history for this message
Kees Cook (kees) wrote :

net-snmp fixed for this issue: http://www.ubuntu.com/usn/usn-685-1

Changed in net-snmp:
importance: Undecided → Medium
assignee: nobody → kees
importance: Undecided → Medium
status: New → Fix Released
importance: Undecided → Medium
status: New → Won't Fix
assignee: nobody → kees
importance: Undecided → Medium
status: Won't Fix → Fix Released
assignee: nobody → kees
status: New → Fix Released
assignee: nobody → kees
importance: Undecided → Medium
status: New → Fix Released
Revision history for this message
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in ecos:
status: New → Won't Fix
Changed in ucd-snmp:
status: New → Won't Fix
Jamie Strandboge (jdstrand)
Changed in ucd-snmp:
status: New → Invalid
status: New → Invalid
status: New → Invalid
status: New → Invalid
Kees Cook (kees)
Changed in ucd-snmp:
status: New → Confirmed
Changed in ecos:
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
Revision history for this message
Steve Langasek (vorlon) wrote :

ecos is not present in releases past gutsy; invalidating the hardy->jaunty tasks.

Changed in ecos:
status: Confirmed → Invalid
status: Confirmed → Invalid
status: Confirmed → Invalid
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in ecos (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in ucd-snmp (Ubuntu Dapper):
status: Confirmed → Won't Fix
Jamie Strandboge (jdstrand)
Changed in ecos (Ubuntu Dapper):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.