Debian Bug report logs -
#485945
net-snmp: CVE-2008-0960 spoofing of authenticated SNMPv3 packets because only length of HMAC code is is taken into account for checks
Reported by: Nico Golde <nico@ngolde.de>
Date: Thu, 12 Jun 2008 13:33:01 UTC
Severity: grave
Tags: patch, security
Fixed in versions net-snmp/5.4.1~dfsg-8.1, net-snmp/5.4.1~dfsg-7.1+lenny1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>:
Bug#485945; Package net-snmp.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nico@ngolde.de>:
New Bug report received and forwarded. Copy sent to Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: net-snmp
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for net-snmp.
CVE-2008-0960[0]:
| SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x
| before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4)
| Juniper Session and Resource Control (SRC) C-series 1.0.0 through
| 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and
| 7.3RC2; (6) SNMP Research before 16.2; and (7) multiple Cisco IOS,
| CatOS, ACE, and Nexus products; relies on the client to specify the
| HMAC length, which makes it easier for remote attackers to bypass SNMP
| authentication via a length value of 1, which only checks the first
| byte.
Upstream patch: http://sourceforge.net/tracker/download.php?group_id=12694&atid=456380&file_id=280776&aid=1989089
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0960
http://security-tracker.debian.net/tracker/CVE-2008-0960
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Changed Bug title to `net-snmp: CVE-2008-0960 spoofing of authenticated SNMPv3 packets because only length of HMAC code is is taken into account for checks' from `net-snmp: CVE-2008-0960 spoofing of authenticated SNMPv3 packets because of checking only one byte of HMAC value'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Thu, 12 Jun 2008 14:45:05 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>:
Bug#485945; Package net-snmp.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #12 received at 485945@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I intent to upload an NMU (this time with the correct patch
:). For obvious reasons (see -private) I am going to upload
this as a 0-day NMU.
debdiff attached and archived on:
http://people.debian.org/~nion/nmu-diff/net-snmp-5.4.1~dfsg-8_5.4.1~dfsg-8.1.patch
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[net-snmp-5.4.1~dfsg-8_5.4.1~dfsg-8.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nico@ngolde.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #17 received at 485945-close@bugs.debian.org (full text, mbox, reply):
Source: net-snmp
Source-Version: 5.4.1~dfsg-8.1
We believe that the bug you reported is fixed in the latest version of
net-snmp, which is due to be installed in the Debian FTP archive:
libsnmp-base_5.4.1~dfsg-8.1_all.deb
to pool/main/n/net-snmp/libsnmp-base_5.4.1~dfsg-8.1_all.deb
libsnmp-dev_5.4.1~dfsg-8.1_amd64.deb
to pool/main/n/net-snmp/libsnmp-dev_5.4.1~dfsg-8.1_amd64.deb
libsnmp-perl_5.4.1~dfsg-8.1_amd64.deb
to pool/main/n/net-snmp/libsnmp-perl_5.4.1~dfsg-8.1_amd64.deb
libsnmp-python_5.4.1~dfsg-8.1_amd64.deb
to pool/main/n/net-snmp/libsnmp-python_5.4.1~dfsg-8.1_amd64.deb
libsnmp15_5.4.1~dfsg-8.1_amd64.deb
to pool/main/n/net-snmp/libsnmp15_5.4.1~dfsg-8.1_amd64.deb
net-snmp_5.4.1~dfsg-8.1.diff.gz
to pool/main/n/net-snmp/net-snmp_5.4.1~dfsg-8.1.diff.gz
net-snmp_5.4.1~dfsg-8.1.dsc
to pool/main/n/net-snmp/net-snmp_5.4.1~dfsg-8.1.dsc
snmp_5.4.1~dfsg-8.1_amd64.deb
to pool/main/n/net-snmp/snmp_5.4.1~dfsg-8.1_amd64.deb
snmpd_5.4.1~dfsg-8.1_amd64.deb
to pool/main/n/net-snmp/snmpd_5.4.1~dfsg-8.1_amd64.deb
tkmib_5.4.1~dfsg-8.1_all.deb
to pool/main/n/net-snmp/tkmib_5.4.1~dfsg-8.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 485945@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated net-snmp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 12 Jun 2008 22:22:52 +0200
Source: net-snmp
Binary: snmpd snmp libsnmp-base libsnmp15 libsnmp-dev libsnmp-perl libsnmp-python tkmib
Architecture: source all amd64
Version: 5.4.1~dfsg-8.1
Distribution: unstable
Urgency: high
Maintainer: Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
libsnmp-base - SNMP (Simple Network Management Protocol) MIBs and documentation
libsnmp-dev - SNMP (Simple Network Management Protocol) development files
libsnmp-perl - SNMP (Simple Network Management Protocol) Perl5 support
libsnmp-python - SNMP (Simple Network Management Protocol) Python support
libsnmp15 - SNMP (Simple Network Management Protocol) library
snmp - SNMP (Simple Network Management Protocol) applications
snmpd - SNMP (Simple Network Management Protocol) agents
tkmib - SNMP (Simple Network Management Protocol) MIB browser
Closes: 485945
Changes:
net-snmp (5.4.1~dfsg-8.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* This update fixes the following security issue:
- CVE-2008-0960: The authentication code relies on the client specified
HMAC length which makes it easier for an attacker to match a correct HMAC
and authentication if a single byte HMAC is supplied (Closes: #485945)
Checksums-Sha1:
50d4c2845174b089972a7df66d476b8ad3f22728 1795 net-snmp_5.4.1~dfsg-8.1.dsc
f63af0961c588d92e77fd003d093474ba34cc950 79704 net-snmp_5.4.1~dfsg-8.1.diff.gz
a1996ecef6edbccbf6bc79d5c9fa0a1283c63859 1377786 libsnmp-base_5.4.1~dfsg-8.1_all.deb
d29f8b37d93b262b0c6fa3a5e788f3aeb13ea482 943590 tkmib_5.4.1~dfsg-8.1_all.deb
fffe7287285509aca3eb9958604d94c44f589023 957164 snmpd_5.4.1~dfsg-8.1_amd64.deb
cb40c77be6af59b77355f69329a40a3f919c27f1 1045034 snmp_5.4.1~dfsg-8.1_amd64.deb
4a4af227b2f31fc4341980d7b7d62a04bbfbfee1 2172178 libsnmp15_5.4.1~dfsg-8.1_amd64.deb
c5894a4f6338383d7daaaadc4d735fbca9979a53 2685226 libsnmp-dev_5.4.1~dfsg-8.1_amd64.deb
de8ee4a528125c0071b559169a79c9969faabdd3 1025408 libsnmp-perl_5.4.1~dfsg-8.1_amd64.deb
ccba75ee240bcbd26e11a838e60cfaff7180cb72 920236 libsnmp-python_5.4.1~dfsg-8.1_amd64.deb
Checksums-Sha256:
3d2cd2c29786d511925605edf14f008ca01017191375231dd4d7093400c005a7 1795 net-snmp_5.4.1~dfsg-8.1.dsc
4319d96d838c8118bbab2854a02284f0d0c324408a121babb595c6d4cf525e6d 79704 net-snmp_5.4.1~dfsg-8.1.diff.gz
7b2339d9d0a6843bdd6e2b016fdc4ee37afaa32ef607e20b7ff8833db3cbda7c 1377786 libsnmp-base_5.4.1~dfsg-8.1_all.deb
ba370c66adaf9592064b6ac800abf45fde1e5863a133afbc60f5cdc279863b99 943590 tkmib_5.4.1~dfsg-8.1_all.deb
c5955d170a734906f0fe081038cebbad5c4a1cda383d7f7734cde87da2e0285b 957164 snmpd_5.4.1~dfsg-8.1_amd64.deb
3118b1eb9ef30c45db7b477bb8d97b3774c1b1d28759cc4076d99f4ca2277d87 1045034 snmp_5.4.1~dfsg-8.1_amd64.deb
6604187c43dc644454469553e33c8107d4e7eee8c16adafe75479409168faf1a 2172178 libsnmp15_5.4.1~dfsg-8.1_amd64.deb
90783634c71fa8eab3ad32ea37178eb569a730c86fc6634886356f94a11b3535 2685226 libsnmp-dev_5.4.1~dfsg-8.1_amd64.deb
c0d4fb6b3176a93334f8dd9cb3542be7f492b3cf98c9915b494f75cdacc86851 1025408 libsnmp-perl_5.4.1~dfsg-8.1_amd64.deb
80038b8d751f877c642899789c3b514b93a226722e1bd8499f4d42161504dba6 920236 libsnmp-python_5.4.1~dfsg-8.1_amd64.deb
Files:
0dffb63a8d930f12673bd5f3acd9f4fd 1795 net optional net-snmp_5.4.1~dfsg-8.1.dsc
7d5a0e544ca6f51b23dffe93d658d7b3 79704 net optional net-snmp_5.4.1~dfsg-8.1.diff.gz
87f1aed1cb77c6b389869dbb32f6ef2f 1377786 libs optional libsnmp-base_5.4.1~dfsg-8.1_all.deb
962a09f0b6c59d8eb168b0a2b9a8038a 943590 net optional tkmib_5.4.1~dfsg-8.1_all.deb
3f1dc2ade65ab96059df3e4d951c7636 957164 net optional snmpd_5.4.1~dfsg-8.1_amd64.deb
f158e760b18c837571d1c2d1e3c8913e 1045034 net optional snmp_5.4.1~dfsg-8.1_amd64.deb
582ae9fbf5f1e9ab68714213a4e67da6 2172178 libs optional libsnmp15_5.4.1~dfsg-8.1_amd64.deb
bd37c0801845ec8f891e0991564cf2de 2685226 libdevel optional libsnmp-dev_5.4.1~dfsg-8.1_amd64.deb
098e415cab079f5544176dae6ba02783 1025408 perl optional libsnmp-perl_5.4.1~dfsg-8.1_amd64.deb
089613ef3b66312fb555d7fbdca97da3 920236 python optional libsnmp-python_5.4.1~dfsg-8.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkhRiOUACgkQHYflSXNkfP+iQwCfSqAEQVRBTJi9By/lzqhL6uT0
erEAnjdEMTt55SgP9iDRFxfadrtuPqbg
=kZ7e
-----END PGP SIGNATURE-----
Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nico@ngolde.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #22 received at 485945-close@bugs.debian.org (full text, mbox, reply):
Source: net-snmp
Source-Version: 5.4.1~dfsg-7.1+lenny1
We believe that the bug you reported is fixed in the latest version of
net-snmp, which is due to be installed in the Debian FTP archive:
libsnmp-base_5.4.1~dfsg-7.1+lenny1_all.deb
to pool/main/n/net-snmp/libsnmp-base_5.4.1~dfsg-7.1+lenny1_all.deb
libsnmp-dev_5.4.1~dfsg-7.1+lenny1_amd64.deb
to pool/main/n/net-snmp/libsnmp-dev_5.4.1~dfsg-7.1+lenny1_amd64.deb
libsnmp-perl_5.4.1~dfsg-7.1+lenny1_amd64.deb
to pool/main/n/net-snmp/libsnmp-perl_5.4.1~dfsg-7.1+lenny1_amd64.deb
libsnmp-python_5.4.1~dfsg-7.1+lenny1_amd64.deb
to pool/main/n/net-snmp/libsnmp-python_5.4.1~dfsg-7.1+lenny1_amd64.deb
libsnmp15_5.4.1~dfsg-7.1+lenny1_amd64.deb
to pool/main/n/net-snmp/libsnmp15_5.4.1~dfsg-7.1+lenny1_amd64.deb
net-snmp_5.4.1~dfsg-7.1+lenny1.diff.gz
to pool/main/n/net-snmp/net-snmp_5.4.1~dfsg-7.1+lenny1.diff.gz
net-snmp_5.4.1~dfsg-7.1+lenny1.dsc
to pool/main/n/net-snmp/net-snmp_5.4.1~dfsg-7.1+lenny1.dsc
snmp_5.4.1~dfsg-7.1+lenny1_amd64.deb
to pool/main/n/net-snmp/snmp_5.4.1~dfsg-7.1+lenny1_amd64.deb
snmpd_5.4.1~dfsg-7.1+lenny1_amd64.deb
to pool/main/n/net-snmp/snmpd_5.4.1~dfsg-7.1+lenny1_amd64.deb
tkmib_5.4.1~dfsg-7.1+lenny1_all.deb
to pool/main/n/net-snmp/tkmib_5.4.1~dfsg-7.1+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 485945@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated net-snmp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 14 Jun 2008 10:00:45 +0000
Source: net-snmp
Binary: snmpd snmp libsnmp-base libsnmp15 libsnmp-dev libsnmp-perl libsnmp-python tkmib
Architecture: source all amd64
Version: 5.4.1~dfsg-7.1+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
libsnmp-base - SNMP (Simple Network Management Protocol) MIBs and documentation
libsnmp-dev - SNMP (Simple Network Management Protocol) development files
libsnmp-perl - SNMP (Simple Network Management Protocol) Perl5 support
libsnmp-python - SNMP (Simple Network Management Protocol) Python support
libsnmp15 - SNMP (Simple Network Management Protocol) library
snmp - SNMP (Simple Network Management Protocol) applications
snmpd - SNMP (Simple Network Management Protocol) agents
tkmib - SNMP (Simple Network Management Protocol) MIB browser
Closes: 485945
Changes:
net-snmp (5.4.1~dfsg-7.1+lenny1) testing-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix regression introduced by last patch, see #482333.
* Fix CVE-2008-0960: The authentication code relies on the client specified
HMAC length which makes it easier for an attacker to match a correct HMAC
and authentication if a single byte HMAC is supplied (Closes: #485945)
Checksums-Sha1:
8805f9fab1b6f97edd9dcd2954ddec6c7228289e 1823 net-snmp_5.4.1~dfsg-7.1+lenny1.dsc
7b58907c3801d9f5870770c6e255701e641579d5 79358 net-snmp_5.4.1~dfsg-7.1+lenny1.diff.gz
c64adb78e055864bfb07d7cd57704414dc90ec92 1383880 libsnmp-base_5.4.1~dfsg-7.1+lenny1_all.deb
2e05341d7406ac343c458a603e1120048ba079a6 943434 tkmib_5.4.1~dfsg-7.1+lenny1_all.deb
634847bc085e1504d1ad7925e23cd87300516eb9 956858 snmpd_5.4.1~dfsg-7.1+lenny1_amd64.deb
6f58ae635d784eba41f6b65c0a0a994b3998028b 1045018 snmp_5.4.1~dfsg-7.1+lenny1_amd64.deb
d54186897b9e8c7adf1fabc454ed1ca0874e5518 2153978 libsnmp15_5.4.1~dfsg-7.1+lenny1_amd64.deb
7287000f04c2662ea67a15c50125e9afca1844f7 2659504 libsnmp-dev_5.4.1~dfsg-7.1+lenny1_amd64.deb
9dafc83b8c69ed95fe317198bdf2c0fa2f4a6315 1024628 libsnmp-perl_5.4.1~dfsg-7.1+lenny1_amd64.deb
0438c223c1db9981543bef3444803cfb97bc4077 918996 libsnmp-python_5.4.1~dfsg-7.1+lenny1_amd64.deb
Checksums-Sha256:
2f7e96f573d5e3adc21923b1478e646b5f21102e8ae070cbf385a1309c3b5d56 1823 net-snmp_5.4.1~dfsg-7.1+lenny1.dsc
20e1a088fe49bb6be50465ef4bf2f4094a37eb535c245b2137fc878cc7981e97 79358 net-snmp_5.4.1~dfsg-7.1+lenny1.diff.gz
84bfce9fa0ead003a963b4b720848a3f1b252ad7065efdf8be8004f016dc2735 1383880 libsnmp-base_5.4.1~dfsg-7.1+lenny1_all.deb
2b30212972de31fc1e388496268d8ee77582c31363f03ab093e8eef2956578a6 943434 tkmib_5.4.1~dfsg-7.1+lenny1_all.deb
37bca945319b39b8d51aef7e0338f3a018db52c43e64803ef421ae2e6d2228ee 956858 snmpd_5.4.1~dfsg-7.1+lenny1_amd64.deb
7d647d68bcb8cdfe7cb61f6051c6f7c8dcb54ef6bf25e19069fcc99c58b37a08 1045018 snmp_5.4.1~dfsg-7.1+lenny1_amd64.deb
6eda6a841c6a81f342f455eccd1bfe1dacfa7c30c49e95e91df49fe14a417415 2153978 libsnmp15_5.4.1~dfsg-7.1+lenny1_amd64.deb
316323e1a877bb5a564708825dda3651cd6b9bf5f1ff71546e72ca7873a70cbf 2659504 libsnmp-dev_5.4.1~dfsg-7.1+lenny1_amd64.deb
42a4c07df9465b75391a5a2b99db8a62dd45da7c6d52179c60427662478e2573 1024628 libsnmp-perl_5.4.1~dfsg-7.1+lenny1_amd64.deb
acd3aa9370b32b0a7f5c3d122749016580e5ca6f3340e924a7f0be02fa4afaaf 918996 libsnmp-python_5.4.1~dfsg-7.1+lenny1_amd64.deb
Files:
b405a861d453688783c61a598ca1d90e 1823 net optional net-snmp_5.4.1~dfsg-7.1+lenny1.dsc
cea7db757858104479d2da0251141fe7 79358 net optional net-snmp_5.4.1~dfsg-7.1+lenny1.diff.gz
ee8a77db5d35ba6992f1c66ab9807a8d 1383880 libs optional libsnmp-base_5.4.1~dfsg-7.1+lenny1_all.deb
5b4e96287b2f066b69a03d91777b2335 943434 net optional tkmib_5.4.1~dfsg-7.1+lenny1_all.deb
cefe1abb495b9697294d370becddf1c6 956858 net optional snmpd_5.4.1~dfsg-7.1+lenny1_amd64.deb
6a1501a79bd26983b834af7538817623 1045018 net optional snmp_5.4.1~dfsg-7.1+lenny1_amd64.deb
5c98b1d85d5bd805b8c8590406bf2c9b 2153978 libs optional libsnmp15_5.4.1~dfsg-7.1+lenny1_amd64.deb
83f0811d6b70c026cdea480f39f5b8f6 2659504 libdevel optional libsnmp-dev_5.4.1~dfsg-7.1+lenny1_amd64.deb
89aab844283310420bb23d1efacac019 1024628 perl optional libsnmp-perl_5.4.1~dfsg-7.1+lenny1_amd64.deb
343bb2c5d9cd13f171a6333fe1d01a7a 918996 python optional libsnmp-python_5.4.1~dfsg-7.1+lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkhT6LIACgkQHYflSXNkfP+3PACfcdT+3a3yvn/7mdOK96C6uoEV
7e8An2vK6u4UBgmF26+t5npQgmqZk/t+
=BxK6
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 25 Jul 2008 07:30:35 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:43:20 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon