CVE-2008-0960

Name of the Vulnerable Software and Affected Versions Net-SNMP versions 5.2.x through 5.2.4, versions 5.3.x through 5.3.2, and versions 5.4.x through 5.4.1 UCD-SNMP (affected versions not specified) eCos (affected versions not specified) Juniper Session and Resource Control (SRC) C-series versions 1.0.0 through 2.0.0 NetApp (aka Network Appliance) Data ONTAP versions 7.3RC1 and 7.3RC2 SNMP Research versions prior to 16.2 Multiple Cisco IOS, CatOS, ACE, and Nexus products (affected versions not specified) Ingate Firewall versions 3.1.0 and later and SIParator versions 3.1.0 and later HP OpenView SNMP Emanate Master Agent versions 15.x net-snmp-x86 (affected versions not specified) net-snmp-64bit (affected versions not specified) net-snmp-32bit (affected versions not specified) net-snmp-devel (affected versions not specified) libsnmp15 (affected versions not specified) snmp-mibs (affected versions not specified) ucd-snmp-4.2.5 ucd-snmp-devel-4.2.5 ucd-snmp-utils-4.2.5

Description The issue concerns multiple vulnerabilities in various SNMP packages, which can lead to the disruption of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. The SNMPv3 HMAC verification relies on the client to specify the HMAC length, making it easier for remote attackers to bypass SNMP authentication. The estimated number of potentially affected devices worldwide is not provided. There is no information about real-world incidents where this issue was exploited.

Recommendations For Net-SNMP versions 5.2.x through 5.2.4, update to version 5.2.4.1 or later. For Net-SNMP versions 5.3.x through 5.3.2, update to version 5.3.2.1 or later. For Net-SNMP versions 5.4.x through 5.4.1, update to version 5.4.1.1 or later. For UCD-SNMP, update to a version that fixes the vulnerability, if available. For eCos, update to a version that fixes the vulnerability, if available. For Juniper Session and Resource Control (SRC) C-series, update to a version later than 2.0.0. For NetApp (aka Network Appliance) Data ONTAP, update to a version later than 7.3RC2. For SNMP Research, update to version 16.2 or later. For Cisco products, apply the workaround or update to a fixed version, as described in the Cisco security advisory. For Ingate Firewall and SIParator, update to a version that fixes the vulnerability, if available. For HP OpenView SNMP Emanate Master Agent, update to a version that fixes the vulnerability, if available. For net-snmp-x86, net-snmp-64bit, net-snmp-32bit, net-snmp-devel, libsnmp15, and snmp-mibs, update to a version that fixes the vulnerability, if available. For ucd-snmp-4.2.5, ucd-snmp-devel-4.2.5, and ucd-snmp-utils-4.2.5, update to a version that fixes the vulnerability, if available. As a temporary workaround, consider disabling the SNMP service until a patch is available. Restrict access to the vulnerable SNMP modules to minimize the risk of exploitation. Avoid using the vulnerable HMAC length value of 1 in the SNMPv3 authentication process until the issue is resolved.