// For flags

CVE-2008-0960

SNMPv3 - HMAC Validation error Remote Authentication Bypass

Severity Score

9.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

3
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) Juniper Session and Resource Control (SRC) C-series 1.0.0 through 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and 7.3RC2; (6) SNMP Research before 16.2; (7) multiple Cisco IOS, CatOS, ACE, and Nexus products; (8) Ingate Firewall 3.1.0 and later and SIParator 3.1.0 and later; (9) HP OpenView SNMP Emanate Master Agent 15.x; and possibly other products relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte.

Una comprobación SNMPv3 HMAC en (1) Net-SNMP versión 5.2.x anterior a 5.2.4.1, versión 5.3.x anterior a 5.3.2.1 y versión 5.4.x anterior a 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) C-series versión 1.0.0 hasta 2.0.0 de Juniper Session and Resource Control (SRC); (5) Data de NetApp (también se conoce como Network Appliance) ONTAP versiones 7.3RC1 y 7.3RC2; (6) SNMP Research versión anterior a 16.2; (7) múltiples productos Cisco IOS, CatOS, ACE y Nexus; (8) Ingate Firewall versión 3.1.0 y posterior y SIParator versión 3.1.0 y posterior; (9) HP OpenView SNMP Emanate Master Agent versión 15.x; y posiblemente otros productos dependen del cliente para especificar la longitud del HMAC, lo que facilita que los atacantes remotos omitan la autenticación SNMP por medio de un valor de longitud de 1, que solo comprueba el primer byte.

Wes Hardaker discovered that the SNMP service did not correctly validate HMAC authentication requests. An unauthenticated remote attacker could send specially crafted SNMPv3 traffic with a valid username and gain access to the user's views without a valid authentication passphrase. John Kortink discovered that the Net-SNMP Perl module did not correctly check the size of returned values. If a user or automated system were tricked into querying a malicious SNMP server, the application using the Perl module could be made to crash, leading to a denial of service. This did not affect Ubuntu 8.10. It was discovered that the SNMP service did not correctly handle large GETBULK requests. If an unauthenticated remote attacker sent a specially crafted request, the SNMP service could be made to crash, leading to a denial of service.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2008-02-25 CVE Reserved
  • 2008-06-10 CVE Published
  • 2008-06-13 First Exploit
  • 2024-08-07 CVE Updated
  • 2025-04-26 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-287: Improper Authentication
CAPEC
References (66)
URL Tag Source
http://lists.ingate.com/pipermail/productinfo/2008/000021.html Mailing List
http://secunia.com/advisories/30612 Third Party Advisory
http://secunia.com/advisories/35463 Third Party Advisory
http://securityreason.com/securityalert/3933 Third Party Advisory
http://sourceforge.net/forum/forum.php?forum_id=833770 X_refsource_confirm
http://sourceforge.net/tracker/index.php?func=detail&aid=1989089&group_id=12694&atid=456380 X_refsource_confirm
http://support.apple.com/kb/HT2163 X_refsource_confirm
http://support.avaya.com/elmodocs2/security/ASA-2008-282.htm X_refsource_confirm
http://www.kb.cert.org/vuls/id/878044 Third Party Advisory
http://www.kb.cert.org/vuls/id/CTAR-7FBS8Q Us Government Resource
http://www.kb.cert.org/vuls/id/MIMG-7ETS5Z Us Government Resource
http://www.kb.cert.org/vuls/id/MIMG-7ETS87 Us Government Resource
http://www.ocert.org/advisories/ocert-2008-006.html X_refsource_misc
http://www.openwall.com/lists/oss-security/2008/06/09/1 Mailing List
http://www.securityfocus.com/archive/1/493218/100/0/threaded Mailing List
http://www.securityfocus.com/archive/1/497962/100/0/threaded Mailing List
http://www.securitytracker.com/id?1020218 Vdb Entry
http://www.us-cert.gov/cas/techalerts/TA08-162A.html Third Party Advisory
http://www.vmware.com/security/advisories/VMSA-2008-0013.html X_refsource_confirm
http://www.vmware.com/security/advisories/VMSA-2008-0017.html X_refsource_misc
http://www.vupen.com/english/advisories/2008/1787/references Vdb Entry
http://www.vupen.com/english/advisories/2008/1788/references Vdb Entry
http://www.vupen.com/english/advisories/2008/1797/references Vdb Entry
http://www.vupen.com/english/advisories/2008/1800/references Vdb Entry
http://www.vupen.com/english/advisories/2008/1801/references Vdb Entry
http://www.vupen.com/english/advisories/2008/1836/references Vdb Entry
http://www.vupen.com/english/advisories/2008/1981/references Vdb Entry
http://www.vupen.com/english/advisories/2008/2361 Vdb Entry
http://www.vupen.com/english/advisories/2008/2971 Vdb Entry
http://www.vupen.com/english/advisories/2009/1612 Vdb Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10820 Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5785 Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6414 Signature
URL Date SRC
https://packetstorm.news/files/id/67231 2008-06-13
https://www.exploit-db.com/exploits/5790 2024-08-07
http://www.securityfocus.com/bid/29623 2024-08-07
URL Date SRC
http://www.debian.org/security/2008/dsa-1663 2018-10-30
URL Date SRC
http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html 2018-10-30
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00000.html 2018-10-30
http://marc.info/?l=bugtraq&m=127730470825399&w=2 2018-10-30
http://rhn.redhat.com/errata/RHSA-2008-0528.html 2018-10-30
http://secunia.com/advisories/30574 2018-10-30
http://secunia.com/advisories/30596 2018-10-30
http://secunia.com/advisories/30615 2018-10-30
http://secunia.com/advisories/30626 2018-10-30
http://secunia.com/advisories/30647 2018-10-30
http://secunia.com/advisories/30648 2018-10-30
http://secunia.com/advisories/30665 2018-10-30
http://secunia.com/advisories/30802 2018-10-30
http://secunia.com/advisories/31334 2018-10-30
http://secunia.com/advisories/31351 2018-10-30
http://secunia.com/advisories/31467 2018-10-30
http://secunia.com/advisories/31568 2018-10-30
http://secunia.com/advisories/32664 2018-10-30
http://secunia.com/advisories/33003 2018-10-30
http://security.gentoo.org/glsa/glsa-200808-02.xml 2018-10-30
http://sunsolve.sun.com/search/document.do?assetkey=1-26-238865-1 2018-10-30
http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml 2018-10-30
http://www.mandriva.com/security/advisories?name=MDVSA-2008:118 2018-10-30
http://www.redhat.com/support/errata/RHSA-2008-0529.html 2018-10-30
http://www.ubuntu.com/usn/usn-685-1 2018-10-30
https://bugzilla.redhat.com/show_bug.cgi?id=447974 2008-06-10
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00363.html 2018-10-30
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00380.html 2018-10-30
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00459.html 2018-10-30
https://access.redhat.com/security/cve/CVE-2008-0960 2008-06-10
Affected Vendors, Products, and Versions
Match found for: AND_3_NODES_OR__OS_HW_AP__VULN0_False_VULN1_False_VULN2_True
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status