Bug 225105 - net-analyzer/net-snmp <5.4.1.1 truncated HMAC authentication code (CVE-2008-0960)
Bug#: 225105 (CVE-2008-0960) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: vorlon@gentoo.org
Component: Vulnerabilities
URL:  http://www.ocert.org/advisories/ocert-2008-006.html
Summary: net-analyzer/net-snmp <5.4.1.1 truncated HMAC authentication code (CVE-2008-0960)
Keywords:  
Status Whiteboard: B3 [glsa]
Opened: 2008-06-06 10:50 0000
Description:   Opened: 2008-06-06 10:50 0000 
** Please note that this issue is confidential at the moment and no information
should be disclosed until it is made public **

We have been contacted by CERT/CC about the following issue:
<quote>
According to net-snmp project:

"The quick technical summary is that the SNMPv3 packet contains a
truncated HMAC authentication code.  The author that wrote the code
very very long ago to check that HMAC code used the length of the
packet's version of the HMAC code to do the check.  Thus if you send a
single byte HMAC code, it'll only check it against the first byte of
HMAC output.  Thus it's fairly easy to spoof an authenticated SNMPv3
packet.
</quote>

------- Comment #1 From Matthias Geerdsen 2008-06-06 10:51:54 0000 ------- 
Created an attachment (id=155709) [details]
patch for CVE-2008-0960

------- Comment #2 From Matthias Geerdsen 2008-06-06 10:53:44 0000 ------- 
pva/falco/vapier since you are all in netmon herd anyways, please prepare an
ebuild with the patch and attach it here.

Do not commit anything to the tree until this issue is made public.

------- Comment #3 From Peter Volkov 2008-06-06 19:26:32 0000 ------- 
Created an attachment (id=155745) [details]
net-snmp-5.4.1-CVE-2008-0960.patch

Thank you Matthias. Attached patch was corrupted one. Attaching correct one.

------- Comment #4 From Peter Volkov 2008-06-06 19:30:09 0000 ------- 
BTW, I don't see any rush with this security fix. I'm going to bump net-snmp
now to fix quite a number of bugs, after that I'd like to have at least 2 weeks
for feedback on patches I've backported from upstream and only after that
stabilize this package... Also we have another security fix for this package in
queue so it's better to test stabilize them together, I suppose.

------- Comment #5 From Robert Buchholz 2008-06-10 01:07:25 0000 ------- 
Now public via URL.
"Fixed version:
Net-SNMP >= 5.4.1.1, >= 5.3.2.1, >= 5.2.4.1"

Peter, take the time you want to test this issue,

------- Comment #6 From Peter Volkov 2008-06-21 06:40:30 0000 ------- 
5.4.1.1 is ready to go stable together with autoconf-2.61-r2 (which should be
stabilized in bug 227603).

Target keywords:
net-analyzer/net-snmp-5.4.1.1: alpha amd64 arm hppa ia64 ppc64 ppc s390 sh
sparc x86

------- Comment #7 From Christian Faulhammer 2008-06-21 09:25:10 0000 ------- 
x86 stable

------- Comment #8 From Robert Buchholz 2008-06-21 13:49:55 0000 ------- 
pva, I'm adding release@, or did you handle this yourself already?

------- Comment #9 From Markus Rothe 2008-06-21 19:39:10 0000 ------- 
ppc64 stable

------- Comment #10 From Markus Meier 2008-06-22 11:08:45 0000 ------- 
amd64 stable

------- Comment #11 From Raúl Porcel 2008-06-22 18:11:38 0000 ------- 
alpha/ia64/sparc stable

------- Comment #12 From Jeroen Roovers 2008-06-23 17:14:05 0000 ------- 
Stable for HPPA.

------- Comment #13 From Brent Baude 2008-06-23 19:00:07 0000 ------- 
ppc done

------- Comment #14 From Robert Buchholz 2008-06-24 01:05:00 0000 ------- 
GLSA vote, YES for me.

------- Comment #15 From Tobias Heinlein 2008-07-02 11:15:08 0000 ------- 
YES too, filing request.

------- Comment #16 From Chris Gianelloni (RETIRED) 2008-08-01 17:49:17 0000 ------- 
2008.0 is out, so no need to keep release on the CC list.

------- Comment #17 From Robert Buchholz 2008-08-06 00:30:47 0000 ------- 
GLSA 200808-02