SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Net-snmp Vendors:   net-snmp.sourceforge.net
(Apple Issues Fix for Mac OS X) Net-snmp SNMPv3 Authentication Bug Lets Remote Users Bypass Authentication
SecurityTracker Alert ID:  1020396
SecurityTracker URL:  http://securitytracker.com/id/1020396
CVE Reference:   CVE-2008-0960   (Links to External Site)
Date:  Jul 1 2008
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0 and later versions
Description:   A vulnerability was reported in Net-snmp. A remote user can bypass authentication.

A remote user can send an SNMPv3 packet with a specially crafted Hash Message Authentication Code (HMAC) value to bypass the authentication function. The user can read and modify SNMP objects with the privileges of the target user.

UCD-SNMP is also affected.

SNMPv1 and SNMPv2 are not affected.

Wes Hardaker reported this vulnerability.

Impact:   A remote user can bypass authentication.
Solution:   Apple has issued a fix for Mac OS X (Security Update 2008-004 and Mac OS X 10.5.4), which can be downloaded and installed via Software Update preferences, or from Apple Downloads at:

http://www.apple.com/support/downloads/

The vendor's advisory is available at:

http://support.apple.com/kb/HT2163

Vendor URL:  sourceforge.net/forum/forum.php?forum_id=833770 (Links to External Site)
Cause:   Authentication error
Underlying OS:  UNIX (macOS/OS X)
Underlying OS Comments:  10.5.3 and prior versions

Message History:   This archive entry is a follow-up to the message listed below.
Jun 10 2008 Net-snmp SNMPv3 Authentication Bug Lets Remote Users Bypass Authentication



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC