Home > CERT Vulnerability issue

WebNMS FrameWork CLI API 2.0

WebNMS products are free from the CERT Vulnerability issue (VU#878044)

The US-CERT (United States Computer Emergency Readiness Team) has described an SNMPv3 Authentication vulnerability in their Vulnerability Note VU#878044.

In the description, they have given the following;

"SNMP can be configured to utilize version 3, which is the current standard version of SNMP. SNMPv3 incorporates security features such as authentication and privacy control among other features. Authentication for SNMPv3 is done using keyed-Hash Message Authentication Code (HMAC), a message authentication code calculated using a cryptographic hash function in combination with a secret key. Implementations of SNMPv3 may allow a shortened HMAC code in the authenticator field to authenticate to an agent or a trap daemon using a minimum HMAC of 1 byte."

With regard to our WebNMS SNMP products, namely

  • WebNMS SNMP API Java Edition
  • WebNMS SNMP API Android Edition
  • WebNMS SNMP Agent Toolkit Java Edition
  • WebNMS SNMP Agent Toolkit C Edition
  • WebNMS Simulation Toolkit
  • WebNMS SNMP Utilities
  • WebNMS Agent Tester
  • WebNMS SNMP Adaptor for JMX
  • WebNMS Management Framework

We would like to state that the products DO NOT have the above mentioned authentication vulnerability at all, because the products have already checked for the correct length of the HMAC code. A packet with a shortened HMAC code in the authenticator field, is altogether dropped and appropriate error is notified. So, this vulnerability issue (VU#878044) is not present in any of our ZOHO Corporation products. Hence there is no specific action to be taken by the users of WebNMS products, with regard to this vulnerability issue.

Please feel free to contact us for any clarification.

References:

  1. oCERT Advisory http://www.ocert.org/advisories/ocert-2008-006.html
  2. US-CERT -- Vulnerability Note VU#878044 -- SNMPv3 improper HMAC validation allows authentication bypass http://www.kb.cert.org/vuls/id/878044
  3. US-CERT -- SNMPv3 Authentication Bypass vulnerability -- http://www.us-cert.gov/cas/techalerts/TA08-162A.html