Cisco reports SNMP authentication flaws
Networking giant Cisco has issued a security advisory warning users of two authentication vulnerabilities in version 3 of SNMP, the widely-adopted Internet protocol element used by network management systems to monitor device activity.
Patches for the flaws have been made available and the US-CERT also issued a related warning that includes a list of many other vendors' products affected by the vulnerabilities. SNMP versions 1, 2 and 2c are not impacted by the issues, and Cisco also published workaround information for handling the problems in its products.
According to the advisory, the reported authentication vulnerabilities could potentially be exploited to garner access to systems data or to alter network device configurations.
Cisco said that the vulnerabilities could be exploited if affected systems process a malformed SNMPv3 message, allowing for "the disclosure of network information" or letting "an attacker perform configuration changes to vulnerable devices."
The company highlighted the fact that the vulnerabilities affect a wide range of its products, although most of the systems are shipped with SNMP turned off by default.
In a note distributed by security training specialists SANS Institute, noted pen testing expert and SANS instructor Ed Skoudis highlighted the fact that the flaws are interesting from the standpoint that SNMPv3 is considered a significant security upgrade over the previous iterations of the protocol.
"Because SNMP messages occur over [User Datagram Protocol], they can be easily spoofed," Skoudis wrote. "One can imagine tools that spray spoofed UDP messages into a target environment that take advantage of this flaw."
Secunia has also posted a security notice highlighting a Cisco VPN client deterministic network enhancer privilege escalation vulnerability. That issue has also been addressed with a patch, and the researchers ranked it as merely "less critical," the second lowest severity rating on its 5-rung ratings scale.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.