Monitoring, Management & Location Tracking

SNMP Security Vulnerability in all AMP versions before 6.0.4

Aruba Employee

There are 2 publicly known security vulnerabilities in Net-SNMP, which is a package AMP uses for SNMP communication. The effects of the vulnerability are fairly minor, but we recommend all customers address the issue. Details are below.

FAQ:

Q. Should I do anything?
A. Yes. 

Q. I have AMP 6.0.x. What should I do?
A. Run the start_amp_upgrade script to upgrade to 6.0.4:

# start_amp_upgrade -v 6.0.4

Q I have an older version of AMP and I have verified in the Hardware Sizing Guide that I can upgrade on my hardware. What should I do?
A. You could upgrade to 6.0.4 like this:

# start_amp_upgrade -v 6.0.4

Q. I have an older version of AMP but it doesn't make sense for me to upgrade to 6.0.4. What should I do?
A. The rpm files are available on our website. You can download and install all of them with this one command (starting with "for" and ending with "done"):

# for x in net-snmp-aw-5.2.1.2-FC3.13.i386.rpm net-snmp-aw-perl-5.2.1.2-FC3.13.i386.rpm net-snmp-aw-libs-5.2.1.2-FC3.13.i386.rpm net-snmp-aw-utils-5.2.1.2-FC3.13.i386.rpm; do wgetwww.airwave.com/support/rpms/$x; rpm -Uvh $x; done

Q. My AMP does not have internet access. Can I download these files to my desktop then copy them to the AMP and install them?
A. Yes. The urls are: 

www.airwave.com/support/rpms/net-snmp-aw-5.2.1.2-FC3.13.i386.rpm 
www.airwave.com/support/rpms/net-snmp-aw-perl-5.2.1.2-FC3.13.i386.rpm 
www.airwave.com/support/rpms/net-snmp-aw-libs-5.2.1.2-FC3.13.i386.rpm 
www.airwave.com/support/rpms/net-snmp-aw-utils-5.2.1.2-FC3.13.i386.rpm

After you've downloaded them, copy them to the /tmp directory on your AMP with WinSCP and do this:

# rpm -Uvh /tmp/net-snmp-aw*

Q. How can I learn more about the vulnerabilities?
A. Read below, and check out the links.

CVE-2008-0960 - A vulnerability in the way implementations of SNMPv3 handle specially crafted packets may allow authentication bypass

This vulnerability only applies to customers using SNMPv3 for communication between AMP and their WLAN infrastructure.

Vulnerability Description
Authentication for SNMPv3 is done using keyed-hash message authentication code (HMAC), which is calculated using a cryptographic hash function in combination with a secret key. Implementations of SNMPv3 may allow a shortened HMAC code in the authenticator field to authenticate to an agent or a trap daemon using a minimum HMAC of one byte. Reducing the HMAC to one-byte makes brute-force authentication trivial.

Impact
Remote attackers may be able to read and modify any SNMP object and configuration on a vulnerable systems SNMP agent. The attacker's ability to read and modify objects would be constrained to the privileges of the account used to authenticate to the vulnerable system. Because AMP acts as an SNMP manager, not an agent, an attacker can only send malicious packets to AMP as responses to get requests. This could cause invalid monitoring or configuration audit data to be saved to AMP, or it could interrupt configuration audit and monitoring processes. We strongly suggest that you contact your WLAN hardware vendor to determine whether a software upgrade is needed for your access points or controllers.

Note: If you enable privacy password on both your infrastructure and AMP you will make it much more difficult for an attacker to create a valid authentication message.

For additional information, please use the following link: http://www.us-cert.gov/cas/techalerts/TA08-162A.html

CVE-2008-2292 - A buffer overflow vulnerability in the Perl Net-SNMP module

Vulnerability Description
The vulnerability is caused due to a boundary error within the "__snprint_value()" function in perl/SNMP/SNMP.xs.

Impact
Remote attackers can cause a denial of service (crash) and possibly execute arbitrary code via a large OCTETSTRING in an attribute value pair (AVP)..

For additional information, please use the following link: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2292

Version history
Revision #:
1 of 1
Last update:
‎06-09-2014 10:13 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.