Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2008-0960

SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) Juniper Session and Resource Control (SRC) C-series 1.0.0 through 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and 7.3RC2; (6) SNMP Research before 16.2; (7) multiple Cisco IOS, CatOS, ACE, and Nexus products; (8) Ingate Firewall 3.1.0 and later and SIParator 3.1.0 and later; (9) HP OpenView SNMP Emanate Master Agent 15.x; and possibly other products relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte.

Published

2008-06-10T18:32:00.000

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 10.0 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

10.0

Impact Score

10.0

Weaknesses

Type: Primary
CWE-287

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	cisco	catos	7.1.1	No
Operating System	cisco	catos	7.3.1	No
Operating System	cisco	catos	7.4.1	No
Operating System	cisco	catos	8.3	No
Operating System	cisco	cisco_ios	12.0	No
Operating System	cisco	cisco_ios	12.0	No
Operating System	cisco	cisco_ios	12.1	No
Operating System	cisco	cisco_ios	12.2	No
Operating System	cisco	cisco_ios	12.2	No
Operating System	cisco	cisco_ios	12.2	No
Operating System	cisco	cisco_ios	12.2	No
Operating System	cisco	cisco_ios	12.2	No
Operating System	cisco	cisco_ios	12.2	No
Operating System	cisco	cisco_ios	12.2	No
Operating System	cisco	cisco_ios	12.2	No
Operating System	cisco	cisco_ios	12.2	No
Operating System	cisco	cisco_ios	12.2	No
Operating System	cisco	cisco_ios	12.2	No
Operating System	cisco	cisco_ios	12.2	No
Operating System	cisco	cisco_ios	12.2	No
Operating System	cisco	cisco_ios	12.3	No
Operating System	cisco	cisco_ios	12.3	No
Operating System	cisco	cisco_ios	12.3	No
Operating System	cisco	cisco_ios	12.3	No
Operating System	cisco	cisco_ios	12.3	No
Operating System	cisco	cisco_ios	12.3	No
Operating System	cisco	cisco_ios	12.3	No
Operating System	cisco	cisco_ios	12.3	No
Operating System	cisco	cisco_ios	12.3	No
Operating System	cisco	cisco_ios	12.3	No
Operating System	cisco	cisco_ios	12.3	No
Operating System	cisco	cisco_ios	12.3	No
Operating System	cisco	cisco_ios	12.3	No
Operating System	cisco	cisco_ios	12.3	No
Operating System	cisco	cisco_ios	12.3	No
Operating System	cisco	cisco_ios	12.3	No
Operating System	cisco	cisco_ios	12.3	No
Operating System	cisco	cisco_ios	12.4	No
Operating System	cisco	cisco_ios	12.4	No
Operating System	cisco	cisco_ios	12.4	No
Operating System	cisco	cisco_ios	12.4	No
Operating System	cisco	cisco_ios	12.4	No
Operating System	cisco	cisco_ios	12.4	No
Operating System	cisco	cisco_ios	12.4	No
Operating System	cisco	cisco_ios	12.4	No
Operating System	cisco	ios	10.0	No
Operating System	cisco	ios	11.0	No
Operating System	cisco	ios	11.1	No
Operating System	cisco	ios	11.3	No
Operating System	cisco	ios	12.2	No
Operating System	cisco	ios_xr	2.0	No
Operating System	cisco	ios_xr	3.0	No
Operating System	cisco	ios_xr	3.2	No
Operating System	cisco	ios_xr	3.3	No
Operating System	cisco	ios_xr	3.4	No
Operating System	cisco	ios_xr	3.5	No
Operating System	cisco	ios_xr	3.6	No
Operating System	cisco	ios_xr	3.7	No
Operating System	cisco	nx_os	4.0	No
Operating System	cisco	nx_os	4.0.1	No
Operating System	cisco	nx_os	4.0.2	No
Operating System	ecos_sourceware	ecos	1.1	No
Operating System	ecos_sourceware	ecos	1.2.1	No
Operating System	ecos_sourceware	ecos	1.3.1	No
Operating System	ecos_sourceware	ecos	2.0	No
Operating System	ecos_sourceware	ecos	2.0	No
Operating System	net-snmp	net_snmp	5.0	No
Operating System	net-snmp	net_snmp	5.0.1	No
Operating System	net-snmp	net_snmp	5.0.2	No
Operating System	net-snmp	net_snmp	5.0.3	No
Operating System	net-snmp	net_snmp	5.0.4	No
Operating System	net-snmp	net_snmp	5.0.5	No
Operating System	net-snmp	net_snmp	5.0.6	No
Operating System	net-snmp	net_snmp	5.0.7	No
Operating System	net-snmp	net_snmp	5.0.8	No
Operating System	net-snmp	net_snmp	5.0.9	No
Operating System	net-snmp	net_snmp	5.1	No
Operating System	net-snmp	net_snmp	5.1.1	No
Operating System	net-snmp	net_snmp	5.1.2	No
Operating System	net-snmp	net_snmp	5.2	No
Operating System	net-snmp	net_snmp	5.3	No
Operating System	net-snmp	net_snmp	5.3.0.1	No
Operating System	net-snmp	net_snmp	5.4	No
Operating System	sun	solaris	10.0	No
Operating System	sun	sunos	5.10	No
Hardware	cisco	ace_10_6504_bundle_with_4_gbps_throughput	*	No
Hardware	cisco	ace_10_6509_bundle_with_8_gbps_throughput	*	No
Hardware	cisco	ace_10_service_module	*	No
Hardware	cisco	ace_20_6504_bundle_with__4gbps_throughput	*	No
Hardware	cisco	ace_20_6509_bundle_with_8gbps_throughput	*	No
Hardware	cisco	ace_20_service_module	*	No
Hardware	cisco	ace_4710	*	No
Hardware	cisco	ace_xml_gateway	5.2	No
Hardware	cisco	ace_xml_gateway	6.0	No
Hardware	cisco	mds_9120	*	No
Hardware	cisco	mds_9124	*	No
Hardware	cisco	mds_9134	*	No
Hardware	cisco	mds_9140	*	No
Hardware	ingate	ingate_firewall	2.2.0	No
Hardware	ingate	ingate_firewall	2.2.1	No
Hardware	ingate	ingate_firewall	2.2.2	No
Hardware	ingate	ingate_firewall	2.3.0	No
Hardware	ingate	ingate_firewall	2.4.0	No
Hardware	ingate	ingate_firewall	2.4.1	No
Hardware	ingate	ingate_firewall	2.5.0	No
Hardware	ingate	ingate_firewall	2.6.0	No
Hardware	ingate	ingate_firewall	2.6.1	No
Hardware	ingate	ingate_firewall	3.0.2	No
Hardware	ingate	ingate_firewall	3.1.0	No
Hardware	ingate	ingate_firewall	3.1.1	No
Hardware	ingate	ingate_firewall	3.1.3	No
Hardware	ingate	ingate_firewall	3.1.4	No
Hardware	ingate	ingate_firewall	3.2.0	No
Hardware	ingate	ingate_firewall	3.2.1	No
Hardware	ingate	ingate_firewall	3.2.2	No
Hardware	ingate	ingate_firewall	3.3.1	No
Hardware	ingate	ingate_firewall	4.1.0	No
Hardware	ingate	ingate_firewall	4.1.3	No
Hardware	ingate	ingate_firewall	4.2.1	No
Hardware	ingate	ingate_firewall	4.2.2	No
Hardware	ingate	ingate_firewall	4.2.3	No
Hardware	ingate	ingate_firewall	4.3.1	No
Hardware	ingate	ingate_firewall	4.4.1	No
Hardware	ingate	ingate_firewall	4.4.2	No
Hardware	ingate	ingate_firewall	4.5.1	No
Hardware	ingate	ingate_firewall	4.5.2	No
Hardware	ingate	ingate_firewall	4.6.0	No
Hardware	ingate	ingate_firewall	4.6.1	No
Hardware	ingate	ingate_firewall	4.6.2	No
Hardware	ingate	ingate_siparator	2.2.0	No
Hardware	ingate	ingate_siparator	2.2.1	No
Hardware	ingate	ingate_siparator	2.2.2	No
Hardware	ingate	ingate_siparator	2.3.0	No
Hardware	ingate	ingate_siparator	2.4.0	No
Hardware	ingate	ingate_siparator	2.4.1	No
Hardware	ingate	ingate_siparator	2.5.0	No
Hardware	ingate	ingate_siparator	2.6.0	No
Hardware	ingate	ingate_siparator	2.6.1	No
Hardware	ingate	ingate_siparator	3.0.2	No
Hardware	ingate	ingate_siparator	3.1.0	No
Hardware	ingate	ingate_siparator	3.1.1	No
Hardware	ingate	ingate_siparator	3.1.3	No
Hardware	ingate	ingate_siparator	3.1.4	No
Hardware	ingate	ingate_siparator	3.2.0	No
Hardware	ingate	ingate_siparator	3.2.1	No
Hardware	ingate	ingate_siparator	3.2.2	No
Hardware	ingate	ingate_siparator	3.3.1	No
Hardware	ingate	ingate_siparator	4.1.0	No
Hardware	ingate	ingate_siparator	4.1.3	No
Hardware	ingate	ingate_siparator	4.2.1	No
Hardware	ingate	ingate_siparator	4.2.2	No
Hardware	ingate	ingate_siparator	4.2.3	No
Hardware	ingate	ingate_siparator	4.3.1	No
Hardware	ingate	ingate_siparator	4.3.4	No
Hardware	ingate	ingate_siparator	4.4.1	No
Hardware	ingate	ingate_siparator	4.4.2	No
Hardware	ingate	ingate_siparator	4.5.1	No
Hardware	ingate	ingate_siparator	4.5.2	No
Hardware	ingate	ingate_siparator	4.6.0	No
Hardware	ingate	ingate_siparator	4.6.1	No
Hardware	ingate	ingate_siparator	4.6.2	No
Application	juniper	session_and_resource_control	1.0	Yes
Application	juniper	session_and_resource_control	2.0	Yes
Application	juniper	src_pe	1.0	Yes
Application	juniper	src_pe	2.0	Yes

References

http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html ([email protected])
http://lists.ingate.com/pipermail/productinfo/2008/000021.html ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00000.html ([email protected])
http://marc.info/?l=bugtraq&m=127730470825399&w=2 ([email protected])
http://marc.info/?l=bugtraq&m=127730470825399&w=2 ([email protected])
http://rhn.redhat.com/errata/RHSA-2008-0528.html ([email protected])
http://secunia.com/advisories/30574 Vendor Advisory ([email protected])
http://secunia.com/advisories/30596 Vendor Advisory ([email protected])
http://secunia.com/advisories/30612 ([email protected])
http://secunia.com/advisories/30615 Vendor Advisory ([email protected])
http://secunia.com/advisories/30626 Vendor Advisory ([email protected])
http://secunia.com/advisories/30647 Vendor Advisory ([email protected])
http://secunia.com/advisories/30648 Vendor Advisory ([email protected])
http://secunia.com/advisories/30665 Vendor Advisory ([email protected])
http://secunia.com/advisories/30802 Vendor Advisory ([email protected])
http://secunia.com/advisories/31334 Vendor Advisory ([email protected])
http://secunia.com/advisories/31351 Vendor Advisory ([email protected])
http://secunia.com/advisories/31467 Vendor Advisory ([email protected])
http://secunia.com/advisories/31568 Vendor Advisory ([email protected])
http://secunia.com/advisories/32664 Vendor Advisory ([email protected])
http://secunia.com/advisories/33003 Vendor Advisory ([email protected])
http://secunia.com/advisories/35463 ([email protected])
http://security.gentoo.org/glsa/glsa-200808-02.xml ([email protected])
http://securityreason.com/securityalert/3933 ([email protected])
http://sourceforge.net/forum/forum.php?forum_id=833770 ([email protected])
http://sourceforge.net/tracker/index.php?func=detail&aid=1989089&group_id=12694&atid=456380 ([email protected])
http://sunsolve.sun.com/search/document.do?assetkey=1-26-238865-1 ([email protected])
http://support.apple.com/kb/HT2163 ([email protected])
http://support.avaya.com/elmodocs2/security/ASA-2008-282.htm ([email protected])
http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml Vendor Advisory ([email protected])
http://www.debian.org/security/2008/dsa-1663 Patch ([email protected])
http://www.kb.cert.org/vuls/id/878044 US Government Resource ([email protected])
http://www.kb.cert.org/vuls/id/CTAR-7FBS8Q US Government Resource ([email protected])
http://www.kb.cert.org/vuls/id/MIMG-7ETS5Z US Government Resource ([email protected])
http://www.kb.cert.org/vuls/id/MIMG-7ETS87 US Government Resource ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2008:118 ([email protected])
http://www.ocert.org/advisories/ocert-2008-006.html ([email protected])
http://www.openwall.com/lists/oss-security/2008/06/09/1 ([email protected])
http://www.redhat.com/support/errata/RHSA-2008-0529.html ([email protected])
http://www.securityfocus.com/archive/1/493218/100/0/threaded ([email protected])
http://www.securityfocus.com/archive/1/497962/100/0/threaded ([email protected])
http://www.securityfocus.com/bid/29623 Exploit, Patch ([email protected])
http://www.securitytracker.com/id?1020218 ([email protected])
http://www.ubuntu.com/usn/usn-685-1 ([email protected])
http://www.us-cert.gov/cas/techalerts/TA08-162A.html US Government Resource ([email protected])
http://www.vmware.com/security/advisories/VMSA-2008-0013.html ([email protected])
http://www.vmware.com/security/advisories/VMSA-2008-0017.html ([email protected])
http://www.vupen.com/english/advisories/2008/1787/references ([email protected])
http://www.vupen.com/english/advisories/2008/1788/references ([email protected])
http://www.vupen.com/english/advisories/2008/1797/references ([email protected])
http://www.vupen.com/english/advisories/2008/1800/references ([email protected])
http://www.vupen.com/english/advisories/2008/1801/references ([email protected])
http://www.vupen.com/english/advisories/2008/1836/references ([email protected])
http://www.vupen.com/english/advisories/2008/1981/references ([email protected])
http://www.vupen.com/english/advisories/2008/2361 ([email protected])
http://www.vupen.com/english/advisories/2008/2971 ([email protected])
http://www.vupen.com/english/advisories/2009/1612 ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=447974 ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10820 ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5785 ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6414 ([email protected])
https://www.exploit-db.com/exploits/5790 ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00363.html ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00380.html ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00459.html ([email protected])
http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html (af854a3a-2127-422b-91ae-364da2661108)
http://lists.ingate.com/pipermail/productinfo/2008/000021.html (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00000.html (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=127730470825399&w=2 (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=127730470825399&w=2 (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2008-0528.html (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/30574 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/30596 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/30612 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/30615 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/30626 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/30647 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/30648 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/30665 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/30802 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/31334 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/31351 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/31467 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/31568 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/32664 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/33003 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/35463 (af854a3a-2127-422b-91ae-364da2661108)
http://security.gentoo.org/glsa/glsa-200808-02.xml (af854a3a-2127-422b-91ae-364da2661108)
http://securityreason.com/securityalert/3933 (af854a3a-2127-422b-91ae-364da2661108)
http://sourceforge.net/forum/forum.php?forum_id=833770 (af854a3a-2127-422b-91ae-364da2661108)
http://sourceforge.net/tracker/index.php?func=detail&aid=1989089&group_id=12694&atid=456380 (af854a3a-2127-422b-91ae-364da2661108)
http://sunsolve.sun.com/search/document.do?assetkey=1-26-238865-1 (af854a3a-2127-422b-91ae-364da2661108)
http://support.apple.com/kb/HT2163 (af854a3a-2127-422b-91ae-364da2661108)
http://support.avaya.com/elmodocs2/security/ASA-2008-282.htm (af854a3a-2127-422b-91ae-364da2661108)
http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2008/dsa-1663 Patch (af854a3a-2127-422b-91ae-364da2661108)
http://www.kb.cert.org/vuls/id/878044 US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
http://www.kb.cert.org/vuls/id/CTAR-7FBS8Q US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
http://www.kb.cert.org/vuls/id/MIMG-7ETS5Z US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
http://www.kb.cert.org/vuls/id/MIMG-7ETS87 US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2008:118 (af854a3a-2127-422b-91ae-364da2661108)
http://www.ocert.org/advisories/ocert-2008-006.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2008/06/09/1 (af854a3a-2127-422b-91ae-364da2661108)
http://www.redhat.com/support/errata/RHSA-2008-0529.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/493218/100/0/threaded (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/497962/100/0/threaded (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/29623 Exploit, Patch (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id?1020218 (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/usn-685-1 (af854a3a-2127-422b-91ae-364da2661108)
http://www.us-cert.gov/cas/techalerts/TA08-162A.html US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
http://www.vmware.com/security/advisories/VMSA-2008-0013.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.vmware.com/security/advisories/VMSA-2008-0017.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/1787/references (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/1788/references (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/1797/references (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/1800/references (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/1801/references (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/1836/references (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/1981/references (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/2361 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/2971 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2009/1612 (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=447974 (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10820 (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5785 (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6414 (af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/5790 (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00363.html (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00380.html (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00459.html (af854a3a-2127-422b-91ae-364da2661108)