Bug 225105 (CVE-2008-0960)

Summary:

net-analyzer/net-snmp <5.4.1.1 truncated HMAC authentication code (CVE-2008-0960)

Product:

Gentoo Security

Reporter:

Matthias Geerdsen (RETIRED) <vorlon>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

normal

CC:

netmon, wolf31o2

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

http://www.ocert.org/advisories/ocert-2008-006.html

Whiteboard:

B3 [glsa]

Package list:

Runtime testing required:

---

Bug Depends on:

227603

Bug Blocks:

222265

Attachments:

Description	Flags
patch for CVE-2008-0960	none
net-snmp-5.4.1-CVE-2008-0960.patch	none

Description Matthias Geerdsen (RETIRED) gentoo-dev

2008-06-06 10:50:14 UTC

** Please note that this issue is confidential at the moment and no information
should be disclosed until it is made public **

We have been contacted by CERT/CC about the following issue:
<quote>
According to net-snmp project:

"The quick technical summary is that the SNMPv3 packet contains a
truncated HMAC authentication code.  The author that wrote the code
very very long ago to check that HMAC code used the length of the
packet's version of the HMAC code to do the check.  Thus if you send a
single byte HMAC code, it'll only check it against the first byte of
HMAC output.  Thus it's fairly easy to spoof an authenticated SNMPv3
packet.
</quote>

Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev

2008-06-06 10:51:54 UTC

Created attachment 155709 [details, diff]
patch for CVE-2008-0960

Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev

2008-06-06 10:53:44 UTC

pva/falco/vapier since you are all in netmon herd anyways, please prepare an ebuild with the patch and attach it here.

Do not commit anything to the tree until this issue is made public.

Comment 3 Peter Volkov (RETIRED) gentoo-dev

2008-06-06 19:26:32 UTC

Created attachment 155745 [details, diff]
net-snmp-5.4.1-CVE-2008-0960.patch

Thank you Matthias. Attached patch was corrupted one. Attaching correct one.

Comment 4 Peter Volkov (RETIRED) gentoo-dev

2008-06-06 19:30:09 UTC

BTW, I don't see any rush with this security fix. I'm going to bump net-snmp now to fix quite a number of bugs, after that I'd like to have at least 2 weeks for feedback on patches I've backported from upstream and only after that stabilize this package... Also we have another security fix for this package in queue so it's better to test stabilize them together, I suppose.

Comment 5 Robert Buchholz (RETIRED) gentoo-dev

2008-06-10 01:07:25 UTC

Now public via URL.
"Fixed version:
Net-SNMP >= 5.4.1.1, >= 5.3.2.1, >= 5.2.4.1"

Peter, take the time you want to test this issue,

Comment 6 Peter Volkov (RETIRED) gentoo-dev

2008-06-21 06:40:30 UTC

5.4.1.1 is ready to go stable together with autoconf-2.61-r2 (which should be stabilized in bug 227603).

Target keywords:
net-analyzer/net-snmp-5.4.1.1: alpha amd64 arm hppa ia64 ppc64 ppc s390 sh sparc x86

Comment 7 Christian Faulhammer (RETIRED) gentoo-dev

2008-06-21 09:25:10 UTC

x86 stable

Comment 8 Robert Buchholz (RETIRED) gentoo-dev

2008-06-21 13:49:55 UTC

pva, I'm adding release@, or did you handle this yourself already?

Comment 9 Markus Rothe (RETIRED) gentoo-dev

2008-06-21 19:39:10 UTC

ppc64 stable

Comment 10 Markus Meier gentoo-dev

2008-06-22 11:08:45 UTC

amd64 stable

Comment 11 Raúl Porcel (RETIRED) gentoo-dev

2008-06-22 18:11:38 UTC

alpha/ia64/sparc stable

Comment 12 Jeroen Roovers (RETIRED) gentoo-dev

2008-06-23 17:14:05 UTC

Stable for HPPA.

Comment 13 Brent Baude (RETIRED) gentoo-dev

2008-06-23 19:00:07 UTC

ppc done

Comment 14 Robert Buchholz (RETIRED) gentoo-dev

2008-06-24 01:05:00 UTC

GLSA vote, YES for me.

Comment 15 Tobias Heinlein (RETIRED) gentoo-dev

2008-07-02 11:15:08 UTC

YES too, filing request.

Comment 16 Chris Gianelloni (RETIRED) gentoo-dev

2008-08-01 17:49:17 UTC

2008.0 is out, so no need to keep release on the CC list.

Comment 17 Robert Buchholz (RETIRED) gentoo-dev

2008-08-06 00:30:47 UTC

GLSA 200808-02