CERT RENATER
Nous contacter
- Mail : cert@support.renater.fr
- Web : Pages du CERT
- Tél : 01.53.94.20.44
- Fax : 01.53.94.20.31
=================================================================== CERT-Renater Note d'Information No. 2012/VULN426 ____________________________________________________________________ DATE : 24/10/2012 HARDWARE PLATFORM(S): HP/H3C networking equipment, Huawei networking equipment. OPERATING SYSTEM(S) : HP/H3C networking equipment firmware, Huawei networking equipment firmware. ====================================================================== http://www.kb.cert.org/vuls/id/225404 ______________________________________________________________________ Vulnerability Note VU#225404 HP/H3C and Huawei networking equipment h3c-user snmp vulnerability Original Release date: 24 oct. 2012 | Last revised: 24 oct. 2012 Overview HP/H3C and Huawei networking equipment contains a vulnerability which could allow an attacker to access administrative functions of the device using systems network management protocol (SNMP) requests. Description According to the researcher's report.: "HP/H3C and Huawei networking equipment suffers from a serious weakness in regards to their handling of Systems Network Management Protocol (SNMP) requests for protected h3c-user.mib and hh3c-user.mib objects. Details Huawei/H3C have two OIDs, 'old' and 'new': old: 1.3.6.1.4.1.2011.10 new: 1.3.6.1.4.1.25506 Most devices support both formats. The MIBs h3c-user.mib and hh3c-user.mib, for the purpose of this document, will be referred to as (h)h3c-user.mib. This MIB defines the internal table and objects to "Manage configuration and Monitor running state for userlog feature." This means there are some cool objects with data in this MIB penetration testers or malicious actors would want to get their dirty little hands on. Most objects are only accessible with the read/write community string. In the revision history of (h)h3c-user.mib, version 2.0 modified the MAX-ACCESS from read-only to read-create the following objects within the (h)h3cUserInfoEntry sequence: (h)h3cUserName (h)h3cUserPassword (h)h3cAuthMode (h)h3cUserLevel The purpose of these objects are to provide the locally configured users to those with a valid SNMP community. After the change only those with the read-write community string should have access, however this was not the case and the code still retained the earlier access of read-only. So if you have the SNMP public community string then you have the ability to view these entries." Additional information can be found in the researcher's report Impact A remote unauthenticated attacker can access administrative functions of the device using systems network management protocol (SNMP) requests. Solution Update HP: Customers are advised to check HP's SSRT100962 support document for instructions. Huawei: We are currently unaware of a practical solution to this problem. According to the researcher's report: "By itself this is already bad but most users who do any of the following may already be protected: Use complex SNMP community strings or disable SNMPv1 Have disabled the mib entries for (h)h3c-user Block SNMP using access controls or firewalls Do not define local users, use RADIUS or TACACS+ More specific routines can be found in the vendor's release." Vendor Information (Learn More) Vendor Status Date Notified Date Updated Hewlett-Packard Company Affected 06 Aug 2012 24 Oct 2012 Huawei Technologies Affected - 24 Oct 2012 3com Inc Unknown 06 Aug 2012 06 Aug 2012 If you are a vendor and your product is affected, let us know. CVSS Metrics (Learn More) Group Score Vector Base 9,3 AV:N/AC:M/Au:N/C:C/I:C/A:C Temporal 7,7 E:F/RL:OF/RC:C Environmental 7,7 CDP:MH/TD:H/CR:ND/IR:ND/AR:ND References http://grutztopia.jingojango.net/2012/10/hph3c-and-huawei-snmp-weak-access-to.html https://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03515685&ac.admitted51086123601.876444892.492883150 Credit Thanks to Kurt Grutzmacher for reporting this vulnerability. This document was written by Michael Orlando. Other Information CVE IDs: CVE-2012-3268 Date Public: 23 oct. 2012 Date First Published: 24 oct. 2012 Date Last Updated: 24 oct. 2012 Document Revision: 12 Feedback If you have feedback, comments, or additional information about this vulnerability, please send us email. ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + ========================================================= [An attachment of type application/pkcs7-signature was included here]