June 12, 2008

Another nasty BYPASS thingy .

Authentication bypass vulnerabilities in important services or components appear rarely . They are more rare on critical services , and even more rare with a condition that exploiting the flaw is as short as modifying a single byte !
Before today , you may remember MySQL authentication bypass , and the script-kiddies friendly VNC auth. bypass vulnerability . these are not the only ones in recent years , but are most well-knowns . Today I saw another crazy bypass !

This time , affected service is SNMP v3 . And no it`s not limited to a rarely used or less-known vendor . MULTIPLE vendors included but not limited to CISCO are affected . I bet CVE-2008-0960 will make a lot of noise for various reasons :

first , where ever you read a best-practice on hardening your SNMP based infrastructures , it`s always advised to use secure version of SNMP , which they mean v3 .
Second , SNMP is favorite monitoring protocol used in almost any big enterprise network .
Third and worst ; we all use it on core elements of the network which means routers , switches , firewalls , ... .

To make it more clear for you , here`s list of affected products , borrowed from cisco`s related advisory :

* Cisco IOS
* Cisco IOS-XR
* Cisco Catalyst Operating System (CatOS)
* Cisco NX-OS
* Cisco Application Control Engine (ACE) Module
* Cisco ACE Appliance
* Cisco ACE XML Gateway
* Cisco MDS 9000 Series Multilayer Fabric Switches

Since many vendors may be affected by this vulnerability , they all has been informed about the subject and should be in state of verifying their product . keep watching US-CERT vulnerability note and wait for all listed vendors to update their state . Let`s just hope not many of listed "unknown" items change to "vulnerable" .

So , how hard is it to exploit this vulnerability ?
As I had previous experience on such class of vulnerabilities , my first guess was true . By modifying few lines of codes in your favorite snmp client , you`re ready to bypass . Am I the only one who think about net-snmp ? ;)
inode generously has done this for you and provided a patch for net-snmp . since I`m not kind of guy you spread sploits , I leave you with Google to catch the patch .

Keep your core network elements tight.

2 comments:

  1. thanks for sharing, can you please post something about defensive vectors against cisco ios rootkit ?!
    is there any patch at all right now ?

    cheers,
    - Arash

    ReplyDelete
  2. http://lab.mediaservice.net/code.php#snmpv3

    ReplyDelete