WebNMS products are free from the CERT Vulnerability issue (VU#878044)
The US-CERT (United States Computer Emergency Readiness Team) has described an SNMPv3 Authentication vulnerability in their Vulnerability Note VU#878044.
In the description, they have given the following;
"SNMP can be configured to utilize version 3, which is the current standard version of SNMP. SNMPv3 incorporates security features such as authentication and privacy control among other features. Authentication for SNMPv3 is done using keyed-Hash Message Authentication Code (HMAC), a message authentication code calculated using a cryptographic hash function in combination with a secret key. Implementations of SNMPv3 may allow a shortened HMAC code in the authenticator field to authenticate to an agent or a trap daemon using a minimum HMAC of 1 byte."
With regard to our WebNMS SNMP products, namely
WebNMS SNMP API Java Edition
WebNMS SNMP Agent Toolkit Java Edition
WebNMS SNMP Agent Toolkit C Edition
WebNMS Simulation Toolkit
WebNMS SNMP Utilities
WebNMS Agent Tester
WebNMS SNMP Adaptor for JMX
WebNMS Management Framework
We would like to state that the products DO NOT have the above mentioned authentication vulnerability at all, because the products have already checked for the correct length of the HMAC code. A packet with a shortened HMAC code in the authenticator field, is altogether dropped and appropriate error is notified. So, this vulnerability issue (VU#878044) is not present in any of our ZOHO Corporation products. Hence there is no specific action to be taken by the users of WebNMS products, with regard to this vulnerability issue.
Please feel free to contact us for any clarification.
