June 12, 2008

Another nasty BYPASS thingy .

Authentication bypass vulnerabilities in important services or components appear rarely . They are more rare on critical services , and even more rare with a condition that exploiting the flaw is as short as modifying a single byte !
Before today , you may remember MySQL authentication bypass , and the script-kiddies friendly VNC auth. bypass vulnerability . these are not the only ones in recent years , but are most well-knowns . Today I saw another crazy bypass !

This time , affected service is SNMP v3 . And no it`s not limited to a rarely used or less-known vendor . MULTIPLE vendors included but not limited to CISCO are affected . I bet CVE-2008-0960 will make a lot of noise for various reasons :

first , where ever you read a best-practice on hardening your SNMP based infrastructures , it`s always advised to use secure version of SNMP , which they mean v3 .
Second , SNMP is favorite monitoring protocol used in almost any big enterprise network .
Third and worst ; we all use it on core elements of the network which means routers , switches , firewalls , ... .

To make it more clear for you , here`s list of affected products , borrowed from cisco`s related advisory :

* Cisco IOS
* Cisco IOS-XR
* Cisco Catalyst Operating System (CatOS)
* Cisco NX-OS
* Cisco Application Control Engine (ACE) Module
* Cisco ACE Appliance
* Cisco ACE XML Gateway
* Cisco MDS 9000 Series Multilayer Fabric Switches

Since many vendors may be affected by this vulnerability , they all has been informed about the subject and should be in state of verifying their product . keep watching US-CERT vulnerability note and wait for all listed vendors to update their state . Let`s just hope not many of listed "unknown" items change to "vulnerable" .

So , how hard is it to exploit this vulnerability ?
As I had previous experience on such class of vulnerabilities , my first guess was true . By modifying few lines of codes in your favorite snmp client , you`re ready to bypass . Am I the only one who think about net-snmp ? ;)
inode generously has done this for you and provided a patch for net-snmp . since I`m not kind of guy you spread sploits , I leave you with Google to catch the patch .

Keep your core network elements tight.


  1. thanks for sharing, can you please post something about defensive vectors against cisco ios rootkit ?!
    is there any patch at all right now ?

    - Arash

  2. http://lab.mediaservice.net/code.php#snmpv3