Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Authentication vulnerability in some implementations of SNMPv3 (CERT/CC VU#878044)

0

0

Article ID: JSA10382 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 2.0
Legacy Advisory Id:
PSN-2008-06-005
Product Affected:
C-series Session and Resource Control appliances
Problem:
Certain implementations of SNMPv3 have a minor deficiency in the way HMAC authentication is performed. This can lead to isolated cases of spoofed SNMPv3 authentication.

This issue is tracked in TIC.14989 and TIC.14990 for C-series Session and Resource Control appliances running SRC. US-CERT has assigned VU#878044 to track this vulnerability.

No other Juniper Networks products are affected by this vulnerability.
Solution:
The code has been modified to properly perform HMAC authentication. These modifications eliminate this method of being erroneously authenticated to the device.
Implementation:
Customers running SRC 1.0.0, 1.0.1, or 2.0.0 should contact Juniper Networks Customer Support to obtain updated versions of the software for the C-series platform. Customers utilizing a C-series Session and Resource Control appliance should upgrade their software to a release dated after June 13, 2008.

Workarounds: There are several mitigation techniques available to avoid this authentication vulnerability:

  • Disable SNMPv3 on the affected device.
  • Restrict access to SNMPv3 via access lists.

Disclaimer: Juniper Networks is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. Juniper Networks expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of noninfringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. Juniper Networks may change this notice at any time.

Severity Level:
Low
Severity Assessment:
While the threat of spoofed SNMP authentication can be cause for concern, SNMPv3 is not yet widely deployed. Additionally, there are simple mitigation techniques available.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search