CERT has told us of an authentication bypass flaw in Net-SNMP and UCD-SNMP. According to net-snmp: "The quick technical summary is that the SNMPv3 packet contains a truncated HMAC authentication code. The author that wrote the code very very long ago to check that HMAC code used the length of the packet's version of the HMAC code to do the check. Thus if you send a single byte HMAC code, it'll only check it against the first byte of HMAC output. Thus it's fairly easy to spoof an authenticated SNMPv3 packet."
Created attachment 306408 [details] Proposed upstream patch
changing embargo date due to request from CERT
Public now, lifting embargo: http://www.ocert.org/advisories/ocert-2008-006.html http://sourceforge.net/forum/forum.php?forum_id=833770 Net-SNMP upstream bug report: http://sourceforge.net/tracker/index.php?func=detail&aid=1989089&group_id=12694&atid=456380 Fixed Net-SNMP versions: >= 5.4.1.1, >= 5.3.2.1, >= 5.2.4.1
net-snmp-5.4.1-18.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
net-snmp-5.4.1-7.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
net-snmp-5.4-18.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Public PoC: http://lab.mediaservice.net/code.php#snmpv3
All children bugs have been closed, parent is no longer needed.