Discussion:
Username existence disclosure from Agent
Madhusudhana R
2017-05-05 09:16:12 UTC
Permalink
Hi Coders,

Regarding a security related finding...

When incorrect username is provided from manager (ManageEngine tool), the manager throws "Discovery failed for username" which could be used by an attacker to know whether user exists or not.

I did a workaround and came up with fix.

Please let me know if this fix is appropriate or not.

In file snmpusm.c, in function usm_process_in_msg() and below code snippet, I changed the return value from SNMPERR_USM_UNKNOWNSECURITYNAME to SNMPERR_USM_GENERICERROR
with which the error in Manager changed to "Timesync failure" for incorrect username.

/*
* Locate the User record.
* If the user/engine ID is unknown, report this as an error.
*/
if ((user = usm_get_user_from_list(secEngineID, *secEngineIDLen,
secName, userList,
(((sess && sess->isAuthoritative ==
SNMP_SESS_AUTHORITATIVE) ||
(!sess)) ? 0 : 1)))
== NULL) {
DEBUGMSGTL(("usm", "Unknown User(%s)\n", secName));
snmp_increment_statistic(STAT_USMSTATSUNKNOWNUSERNAMES);
return SNMPERR_USM_GENERICERROR;
}

Thanks & Regards,
Madhu
Ulrich Windl
2017-05-08 06:04:35 UTC
Permalink
Nachricht
Post by Madhusudhana R
Hi Coders,
Regarding a security related finding...
When incorrect username is provided from manager (ManageEngine tool), the
manager throws "Discovery failed for username" which could be used by an
attacker to know whether user exists or not.
I did a workaround and came up with fix.
Please let me know if this fix is appropriate or not.
In file snmpusm.c, in function usm_process_in_msg() and below code snippet,
I changed the return value from SNMPERR_USM_UNKNOWNSECURITYNAME to
SNMPERR_USM_GENERICERROR
with which the error in Manager changed to "Timesync failure" for incorrect username.
IMHO. The gain of guessing a user name is not a significant problem as the password is what really protects the account. In any case an error like "Timesync failure" for a bad user name is cleasrly to be rejected.

Ulrich
Post by Madhusudhana R
/*
* Locate the User record.
* If the user/engine ID is unknown, report this as an error.
*/
if ((user = usm_get_user_from_list(secEngineID, *secEngineIDLen,
secName, userList,
(((sess && sess->isAuthoritative ==
SNMP_SESS_AUTHORITATIVE) ||
(!sess)) ? 0 : 1)))
== NULL) {
DEBUGMSGTL(("usm", "Unknown User(%s)\n", secName));
snmp_increment_statistic(STAT_USMSTATSUNKNOWNUSERNAMES);
return SNMPERR_USM_GENERICERROR;
}
Thanks & Regards,
Madhu
Łukasz Wrzesiński
2017-05-08 08:25:47 UTC
Permalink
SNMP v3 UserName is send in clear text in each SNMPv3 PDU, also for Auth
and AuthPriv.

You could obtain it by sniffing packages, without any SNMP query (you could
check it using WireShark or something similar).

Your change is pointless.
11:16 in
Nachricht
Post by Madhusudhana R
Hi Coders,
Regarding a security related finding...
When incorrect username is provided from manager (ManageEngine tool), the
manager throws "Discovery failed for username" which could be used by an
attacker to know whether user exists or not.
I did a workaround and came up with fix.
Please let me know if this fix is appropriate or not.
In file snmpusm.c, in function usm_process_in_msg() and below code
snippet,
Post by Madhusudhana R
I changed the return value from SNMPERR_USM_UNKNOWNSECURITYNAME to
SNMPERR_USM_GENERICERROR
with which the error in Manager changed to "Timesync failure" for
incorrect
Post by Madhusudhana R
username.
IMHO. The gain of guessing a user name is not a significant problem as the
password is what really protects the account. In any case an error like
"Timesync failure" for a bad user name is cleasrly to be rejected.
Ulrich
Post by Madhusudhana R
/*
* Locate the User record.
* If the user/engine ID is unknown, report this as an error.
*/
if ((user = usm_get_user_from_list(secEngineID, *secEngineIDLen,
secName, userList,
(((sess && sess->isAuthoritative
==
Post by Madhusudhana R
SNMP_SESS_AUTHORITATIVE) ||
(!sess)) ? 0 : 1)))
== NULL) {
DEBUGMSGTL(("usm", "Unknown User(%s)\n", secName));
snmp_increment_statistic(STAT_USMSTATSUNKNOWNUSERNAMES);
return SNMPERR_USM_GENERICERROR;
}
Thanks & Regards,
Madhu
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-coders mailing list
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
--
Łukasz Wrzesiński
Lee
2017-05-10 12:07:10 UTC
Permalink
Post by Ulrich Windl
Nachricht
Post by Madhusudhana R
Hi Coders,
Regarding a security related finding...
When incorrect username is provided from manager (ManageEngine tool), the
manager throws "Discovery failed for username" which could be used by an
attacker to know whether user exists or not.
I did a workaround and came up with fix.
Please let me know if this fix is appropriate or not.
In file snmpusm.c, in function usm_process_in_msg() and below code snippet,
I changed the return value from SNMPERR_USM_UNKNOWNSECURITYNAME to
SNMPERR_USM_GENERICERROR
with which the error in Manager changed to "Timesync failure" for
incorrect
username.
IMHO. The gain of guessing a user name is not a significant problem as the
password is what really protects the account. In any case an error like
"Timesync failure" for a bad user name is cleasrly to be rejected.
Probably not a significant problem, but still, you're not supposed to
allow enumerating userids. eg.
https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Authentication_and_Error_Messages
Correct Response Example
"Login failed; Invalid userID or password"
The correct response does not indicate if the user ID or password is
the incorrect parameter and hence inferring a valid user ID.

Would SNMPERR_USM_AUTHENTICATIONFAILURE be the appropriate status to
return for an invalid userid or password?

Regards,
Lee
Post by Ulrich Windl
Ulrich
Post by Madhusudhana R
/*
* Locate the User record.
* If the user/engine ID is unknown, report this as an error.
*/
if ((user = usm_get_user_from_list(secEngineID, *secEngineIDLen,
secName, userList,
(((sess && sess->isAuthoritative ==
SNMP_SESS_AUTHORITATIVE) ||
(!sess)) ? 0 : 1)))
== NULL) {
DEBUGMSGTL(("usm", "Unknown User(%s)\n", secName));
snmp_increment_statistic(STAT_USMSTATSUNKNOWNUSERNAMES);
return SNMPERR_USM_GENERICERROR;
}
Thanks & Regards,
Madhu
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-coders mailing list
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Madhusudhana R
2017-05-10 13:00:59 UTC
Permalink
Hi Lee,

Thanks for the response.

If SNMPERR_USM_AUTHENTICATIONFAILURE is used the error turns out to be "authProtocol or authPassword may be wrong" on ManageEngine tool.

As I mentioned before, SNMPERR_USM_GENERICERROR we get "Timesync Failure". So this error can get a thought that agent is not running. (apologies if my thinking is so bad!!)

Please suggest which return status is more appropriate?
Also with either of them, will it affect the system architecture in any way?

Thanks.
Madhu

-----Original Message-----
From: Lee [mailto:***@gmail.com]
Sent: Wednesday, May 10, 2017 5:37 PM
To: Ulrich Windl <***@rz.uni-regensburg.de>
Cc: net-snmp-***@lists.sourceforge.net
Subject: Re: Username existence disclosure from Agent
Post by Ulrich Windl
Nachricht
Post by Madhusudhana R
Hi Coders,
Regarding a security related finding...
When incorrect username is provided from manager (ManageEngine tool), the
manager throws "Discovery failed for username" which could be used by
an attacker to know whether user exists or not.
I did a workaround and came up with fix.
Please let me know if this fix is appropriate or not.
In file snmpusm.c, in function usm_process_in_msg() and below code
snippet, I changed the return value from
SNMPERR_USM_UNKNOWNSECURITYNAME to SNMPERR_USM_GENERICERROR with
which the error in Manager changed to "Timesync failure" for
incorrect username.
IMHO. The gain of guessing a user name is not a significant problem as
the password is what really protects the account. In any case an error
like "Timesync failure" for a bad user name is cleasrly to be rejected.
Probably not a significant problem, but still, you're not supposed to allow enumerating userids. eg.
https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Authentication_and_Error_Messages
Correct Response Example
"Login failed; Invalid userID or password"
The correct response does not indicate if the user ID or password is the incorrect parameter and hence inferring a valid user ID.

Would SNMPERR_USM_AUTHENTICATIONFAILURE be the appropriate status to return for an invalid userid or password?

Regards,
Lee
Post by Ulrich Windl
Ulrich
Post by Madhusudhana R
/*
* Locate the User record.
* If the user/engine ID is unknown, report this as an error.
*/
if ((user = usm_get_user_from_list(secEngineID, *secEngineIDLen,
secName, userList,
(((sess &&
sess->isAuthoritative ==
SNMP_SESS_AUTHORITATIVE) ||
(!sess)) ? 0 : 1)))
== NULL) {
DEBUGMSGTL(("usm", "Unknown User(%s)\n", secName));
snmp_increment_statistic(STAT_USMSTATSUNKNOWNUSERNAMES);
return SNMPERR_USM_GENERICERROR;
}
Thanks & Regards,
Madhu
----------------------------------------------------------------------
-------- Check out the vibrant tech community on one of the world's
most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-coders mailing list
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________
Net-snmp-coders mailing list
Net-snmp-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Lee
2017-05-11 14:00:17 UTC
Permalink
Post by Madhusudhana R
Hi Lee,
Thanks for the response.
If SNMPERR_USM_AUTHENTICATIONFAILURE is used the error turns out to be
"authProtocol or authPassword may be wrong" on ManageEngine tool.
As I mentioned before, SNMPERR_USM_GENERICERROR we get "Timesync Failure".
So this error can get a thought that agent is not running. (apologies if my
thinking is so bad!!)
Please suggest which return status is more appropriate?
Also with either of them, will it affect the system architecture in any way?
What are you trying to accomplish here? Your original msg said
Post by Madhusudhana R
Post by Madhusudhana R
Regarding a security related finding...
Somebody did a security audit & you're stuck with addressing the
finding? I've had the same type of thing & yes, according to the
security people, allowing attackers to figure out valid userids is A
Bad Thing. I see a couple of possible solutions:

You've got the source code, so apply your change, deploy & you're done.


It's not looking like the admins are in favor of the change you
submitted, so maybe try something different? Like add a configuration
option to disable specific USM error codes & add an #ifdef block in
snmp_api.h to define whatever USM error codes to all be the same
value. eg something like
#ifdef noSpecificUSMErrorCodes
#define SNMPERR_USM_UNKNOWNSECURITYNAME (-46)
#define SNMPERR_USM_UNSUPPORTEDSECURITYLEVEL (-46)
#define SNMPERR_USM_AUTHENTICATIONFAILURE (-46)
#else
#define SNMPERR_USM_UNKNOWNSECURITYNAME (-43)
#define SNMPERR_USM_UNSUPPORTEDSECURITYLEVEL (-44)
#define SNMPERR_USM_AUTHENTICATIONFAILURE (-46)
#endif

So the people that want specific error codes can have them & the
people that want just a generic auth fail can have that.


my personal favorite is to allow snmp only from trusted subnets/hosts
- eg. iptables, firewalls, router acls, etc.

Regards,
Lee
Post by Madhusudhana R
Thanks.
Madhu
-----Original Message-----
Sent: Wednesday, May 10, 2017 5:37 PM
Subject: Re: Username existence disclosure from Agent
Post by Madhusudhana R
Nachricht
Post by Madhusudhana R
Hi Coders,
Regarding a security related finding...
When incorrect username is provided from manager (ManageEngine tool), the
manager throws "Discovery failed for username" which could be used by
an attacker to know whether user exists or not.
I did a workaround and came up with fix.
Please let me know if this fix is appropriate or not.
In file snmpusm.c, in function usm_process_in_msg() and below code
snippet, I changed the return value from
SNMPERR_USM_UNKNOWNSECURITYNAME to SNMPERR_USM_GENERICERROR with
which the error in Manager changed to "Timesync failure" for
incorrect username.
IMHO. The gain of guessing a user name is not a significant problem as
the password is what really protects the account. In any case an error
like "Timesync failure" for a bad user name is cleasrly to be rejected.
Probably not a significant problem, but still, you're not supposed to allow
enumerating userids. eg.
https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Authentication_and_Error_Messages
Correct Response Example
"Login failed; Invalid userID or password"
The correct response does not indicate if the user ID or password is the
incorrect parameter and hence inferring a valid user ID.
Would SNMPERR_USM_AUTHENTICATIONFAILURE be the appropriate status to return
for an invalid userid or password?
Regards,
Lee
Post by Madhusudhana R
Ulrich
Post by Madhusudhana R
/*
* Locate the User record.
* If the user/engine ID is unknown, report this as an error.
*/
if ((user = usm_get_user_from_list(secEngineID, *secEngineIDLen,
secName, userList,
(((sess &&
sess->isAuthoritative ==
SNMP_SESS_AUTHORITATIVE) ||
(!sess)) ? 0 : 1)))
== NULL) {
DEBUGMSGTL(("usm", "Unknown User(%s)\n", secName));
snmp_increment_statistic(STAT_USMSTATSUNKNOWNUSERNAMES);
return SNMPERR_USM_GENERICERROR;
}
Thanks & Regards,
Madhu
----------------------------------------------------------------------
-------- Check out the vibrant tech community on one of the world's
most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-coders mailing list
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging
tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-coders mailing list
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Loading...