安全研究
安全漏洞
Net-SNMP远程绕过认证漏洞
发布日期:2008-06-10
更新日期:2008-06-12
受影响系统:
Net-SNMP net-snmp 5.4.x不受影响系统:
Net-SNMP net-snmp 5.3.x
Net-SNMP net-snmp 5.2.x
Net-SNMP net-snmp 5.4.1.1描述:
Net-SNMP net-snmp 5.3.2.1
Net-SNMP net-snmp 5.2.4.1
BUGTRAQ ID: 29623
CVE(CAN) ID: CVE-2008-0960
Net-SNMP是一个免费的、开放源码的SNMP实现,以前称为UCD-SNMP。
Net-SNMP处理认证的实现上存在漏洞,远程攻击者可能利用此漏洞绕过认证获取SNMP对象的访问。
Net-SNMP的认证代码依赖于用户输入中所指定的HMAC长度读取所要检查的长度。SNMPv3的认证是使用HMAC实现的,如果用户在认证代码字段中提供了单字节的HMAC代码的话,由于仅会检查第一个字节,因此就会有1/256的概率匹配正确的HMAC并通过认证,这大大的提高了暴力猜测的成功率。这个漏洞允许攻击者读取和修改任何使用登录系统的认证凭据可访问的SNMP对象。
<*来源:Wes Hardaker
链接:http://secunia.com/advisories/30574/
http://www.kb.cert.org/vuls/id/878044
https://bugzilla.redhat.com/long_list.cgi?buglist=447974
http://marc.info/?l=oss-security&m=121305283804331&w=2
http://sourceforge.net/forum/forum.php?forum_id=833770
http://secunia.com/advisories/30612/
http://lists.ingate.com/pipermail/productinfo/2008/000021.html
https://www.redhat.com/support/errata/RHSA-2008-0529.html
https://www.redhat.com/support/errata/RHSA-2008-0528.html
http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml
http://www.us-cert.gov/cas/techalerts/TA08-162A.html
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-238865-1
http://security.gentoo.org/glsa/glsa-200808-02.xml
http://www.debian.org/security/2008/dsa-1663
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
建议:
临时解决方法:
在Cisco设备中可应用以下措施:
* 部署以下基础架构ACL(iACL)
!--- Permit SNMP UDP 161 packets from
!--- trusted hosts destined to infrastructure addresses.
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 161
!--- Deny SNMP UDP 161 packets from all
!--- other sources destined to infrastructure addresses.
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 161
!--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
!--- with existing security policies and configurations
!--- Permit all other traffic to transit the device.
access-list 150 permit ip any anyinterface serial 2/0ip access-group 150 in
* 部署以下控制面整型(CoPP)
!--- Deny SNMP UDP traffic from trusted hosts to all IP addresses
!--- configured on all interfaces of the affected device so that
!--- it will be allowed by the CoPP feature
access-list 111 deny udp host 192.168.100.1 any eq 161
!--- Permit all other SNMP UDP traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so that it
!--- will be policed and dropped by the CoPP feature
access-list 111 permit udp any any eq 161
!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!--- traffic in accordance with existing security policies and
!--- configurations for traffic that is authorized to be sent
!--- to infrastructure devices
!--- Create a Class-Map for traffic to be policed by
!--- the CoPP feature
class-map match-all drop-snmpv3-class
match access-group 111
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
policy-map drop-snmpv3-traffic
class drop-snmpv3-class
drop
!--- Apply the Policy-Map to the
!--- Control-Plane of the device
control-plane
service-policy input drop-snmpv3-traffic
请注意在Cisco IOS的12.2S和12.0S系列上policy-map句法有所不同:
policy-map drop-snmpv3-traffic
class drop-snmpv3-class
police 32000 1500 1500 conform-action drop exceed-action drop
厂商补丁:
Cisco
-----
Cisco已经为此发布了一个安全公告(cisco-sa-20080610-snmpv3)以及相应补丁:
cisco-sa-20080610-snmpv3:SNMP Version 3 Authentication Vulnerabilities
链接:http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml
Debian
------
Debian已经为此发布了一个安全公告(DSA-1663-1)以及相应补丁:
DSA-1663-1:New net-snmp packages fix several vulnerabilities
链接:http://www.debian.org/security/2008/dsa-1663
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3-7etch4.diff.gz
Size/MD5 checksum: 94030 2ccd6191c3212980956c30de392825ec
http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3-7etch4.dsc
Size/MD5 checksum: 1046 8018cc23033178515298d5583a74f9ff
http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3.orig.tar.gz
Size/MD5 checksum: 4006389 ba4bc583413f90618228d0f196da8181
Architecture independent packages:
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-base_5.2.3-7etch4_all.deb
Size/MD5 checksum: 1214368 d579d8f28f3d704b6c09b2b480425086
http://security.debian.org/pool/updates/main/n/net-snmp/tkmib_5.2.3-7etch4_all.deb
Size/MD5 checksum: 855594 b5ccd827adbcefcca3557fa9ae28cc08
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_alpha.deb
Size/MD5 checksum: 2169470 265835564ef2b0e2e86a08000461c53b
http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_alpha.deb
Size/MD5 checksum: 944098 5b903886ee4740842715797e3231602c
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_alpha.deb
Size/MD5 checksum: 1901802 5486eb1f2a5b076e5342b1dd9cbb12e2
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_alpha.deb
Size/MD5 checksum: 933202 e3210ba1641079e0c3aaf4a50e89aedd
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_alpha.deb
Size/MD5 checksum: 835584 b14db8c5e5b5e2d34799952975f903fb
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_amd64.deb
Size/MD5 checksum: 932008 fc79672bf64eaabd41ed1c2f4a42c7da
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_amd64.deb
Size/MD5 checksum: 1890766 ae3832515a97a79b31e0e7f0316356ee
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_amd64.deb
Size/MD5 checksum: 835088 62867e9ba9dfca3c7e8ae575d5a478f5
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_amd64.deb
Size/MD5 checksum: 918844 d2d1bc5f555bc9dba153e2a9a964ffbf
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_amd64.deb
Size/MD5 checksum: 1557924 5c2a33a015dd44708a9cc7602ca2525c
arm architecture (ARM)
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_arm.deb
Size/MD5 checksum: 909974 4c1cef835efc0b7ff3fea54a618eabee
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_arm.deb
Size/MD5 checksum: 835284 3ac835d926481c9e0f589b578455ddee
http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_arm.deb
Size/MD5 checksum: 928252 b98e98b58c61be02e477185293427d5c
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_arm.deb
Size/MD5 checksum: 1778292 b903adf3d1fa6e7a26f7cafb7bffdd6b
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_arm.deb
Size/MD5 checksum: 1344158 78b6cf6b2974983e8e3670468da73cd1
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_hppa.deb
Size/MD5 checksum: 835940 9eeaf116e386dd7733ab2106c662dfa9
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_hppa.deb
Size/MD5 checksum: 1809132 78bb5f1c12b004d32fa265e6bd99ffa1
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_hppa.deb
Size/MD5 checksum: 1926116 71c7f3095ffe1bb22e84ade21f32b3a4
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_hppa.deb
Size/MD5 checksum: 935434 85deac8531b02a0fdf3c9baa21d8e4bd
http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_hppa.deb
Size/MD5 checksum: 935640 958cb158264f75772864cd5d5c0bf251
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_i386.deb
Size/MD5 checksum: 1423294 f05c7491a8100684c5085588738f05b5
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_i386.deb
Size/MD5 checksum: 833970 cb705c9fe9418cc9348ac935ea7b0ba2
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_i386.deb
Size/MD5 checksum: 920070 3df41a0c99c41d1bccf6801011cf8ed5
http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_i386.deb
Size/MD5 checksum: 925914 159b4244ef701edbe0fb8c9685b5b477
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_i386.deb
Size/MD5 checksum: 1838900 3b7ac7b8fe0da1a3909ee56aba46d464
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_ia64.deb
Size/MD5 checksum: 2205680 6868a56b1db04627e6921bf7237939a2
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_ia64.deb
Size/MD5 checksum: 970440 783f0cccabfbcc63590730b3803d164d
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_ia64.deb
Size/MD5 checksum: 2281114 fd04b505755a3aed0fe4c9baaac84500
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_ia64.deb
Size/MD5 checksum: 842690 9f9ca89c3d3ba7c46481e9cd39c242a6
http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_ia64.deb
Size/MD5 checksum: 962854 c8a32f808d719357a5b6350e2b60794e
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_mips.deb
Size/MD5 checksum: 895414 5dd919d188291cb3727d39b5e06c9e26
http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_mips.deb
Size/MD5 checksum: 927342 28c245db4d8ea82ba4075b27d674d72a
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_mips.deb
Size/MD5 checksum: 833182 0e0b21e13d77de82bed7a38d30f65e4b
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_mips.deb
Size/MD5 checksum: 1769524 24bdc73a3d20c4046c7741957442c713
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_mips.deb
Size/MD5 checksum: 1717562 977ae5c34a127d32d8f2bf222de9a431
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_mipsel.deb
Size/MD5 checksum: 1755032 cab5c112911465a9ce23a0d2ea44ded9
http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_mipsel.deb
Size/MD5 checksum: 926616 2bf14a3fe74d9f2a523aacc8b04f5282
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_mipsel.deb
Size/MD5 checksum: 895194 b7c9ed37bf83ad92371f5472ac5d917b
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_mipsel.deb
Size/MD5 checksum: 833098 08b63ba6c3becf25ba2f941a532a7b71
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_mipsel.deb
Size/MD5 checksum: 1720642 1ff7568eb478edee923edb76cf42e9ac
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_powerpc.deb
Size/MD5 checksum: 941434 bbac9384bd7f88339e2b86fa665208c1
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_powerpc.deb
Size/MD5 checksum: 835212 4790d79f8de7f1bee7aabf0473f25268
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_powerpc.deb
Size/MD5 checksum: 1657890 b91fcf52e80c7196cea0c13df9ac79ef
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_powerpc.deb
Size/MD5 checksum: 1803262 4d298c9509941390c7b2eb68320ad211
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_powerpc.deb
Size/MD5 checksum: 928170 b17966a6a61313344ac827b58f32eeef
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_s390.deb
Size/MD5 checksum: 1409718 2a128cbdce2522ef49604255cff41af2
http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_s390.deb
Size/MD5 checksum: 931452 d3bb7c3a849cd2b35fa6e4acb19c318d
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_s390.deb
Size/MD5 checksum: 1834914 67e5b946df18b06b41b3e108d5ddc4e3
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_s390.deb
Size/MD5 checksum: 836102 7a4b85e8ea0e50d7213997b5f7d6309f
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_s390.deb
Size/MD5 checksum: 903864 3f80e78e4e2672aacf3da0690ff24b79
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_sparc.deb
Size/MD5 checksum: 925336 5824ea607689f3f1bd62a9e6e28f95ae
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_sparc.deb
Size/MD5 checksum: 1548630 1378d1cf730d3026bc1f01a4ab2ccedb
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_sparc.deb
Size/MD5 checksum: 918592 28a086f6aa2ee8d510b38c1a177843fc
http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_sparc.deb
Size/MD5 checksum: 834186 068cbf2b4774ecf9504b820db26e6f1d
http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_sparc.deb
Size/MD5 checksum: 1782014 d39fae5fe0d1397a2a1bd7397d6e850a
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2008:0528-01)以及相应补丁:
RHSA-2008:0528-01:Moderate: ucd-snmp security update
链接:https://www.redhat.com/support/errata/RHSA-2008-0528.html
Sun
---
Sun已经为此发布了一个安全公告(Sun-Alert-238865)以及相应补丁:
Sun-Alert-238865:SNMPv3 Authentication Bypass Vulnerability in snmpd(1M)
链接:http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-238865-1
Net-SNMP
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://sourceforge.net/projects/net-snmp/
Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200808-02)以及相应补丁:
GLSA-200808-02:Net-SNMP: Multiple vulnerabilities
链接:http://security.gentoo.org/glsa/glsa-200808-02.xml
所有Net-SNMP用户都应升级到最新版本:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/net-snmp-5.4.1.1"
浏览次数:5191
严重程度:0(网友投票)
绿盟科技给您安全的保障