Upstream information

CVE-2008-0960 at MITRE

Description

SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) Juniper Session and Resource Control (SRC) C-series 1.0.0 through 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and 7.3RC2; (6) SNMP Research before 16.2; (7) multiple Cisco IOS, CatOS, ACE, and Nexus products; (8) Ingate Firewall 3.1.0 and later and SIParator 3.1.0 and later; (9) HP OpenView SNMP Emanate Master Agent 15.x; and possibly other products relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 10
Vector AV:N/AC:L/Au:N/C:C/I:C/A:C
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
SUSE Bugzilla entries: 393159 [RESOLVED / FIXED], 398751 [RESOLVED / DUPLIC], 514421 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE 11.0
  • libsnmp15 >= 5.4.1-77.2
  • net-snmp >= 5.4.1-77.2
  • net-snmp-32bit >= 5.4.1-77.2
  • net-snmp-64bit >= 5.4.1-77.2
  • net-snmp-devel >= 5.4.1-77.2
  • net-snmp-devel-64bit >= 5.4.1-77.2
  • perl-SNMP >= 5.4.1-77.2
  • snmp-mibs >= 5.4.1-77.2
SUSE Linux Enterprise SDK 10 SP2
  • net-snmp-devel >= 5.3.0.1-25.26
sle10-sp2-sdk.x86
sles10.ia64
sles10-sp2.s390x
sle10-sp2-sdk.ia64
sles10.s390x
sles9-nld.x86
sles10.ppc
sles10.x86
sles10-sp2.ppc
core9.ppc
sles10-sp2.x86
core9.x86
sle10-sp2-sdk.s390x
core9.s390x
sled10-sp2.x86
sled10-sp2.x86-64
sles10-sp2.x86-64
sle10-sp2-sdk.x86-64
sled10.x86
sled10.x86-64
sle10-sp1-sdk.x86
sle10-sp2-sdk.ppc
core9.s390
core9.ia64
sles10.x86-64
sle10-sp1-sdk.ia64
sle10-sp1-sdk.ppc
core9.x86-64
sles10-sp2.ia64
sles9-nld.x86-64
sles9-nlpos.x86
sles9-oes.x86
sle10-sp1-sdk.x86-64
sle10-sp1-sdk.s390x
ZYPP Patch Nr: 5422
SUSE Linux Enterprise SDK 10 SP2
  • net-snmp-devel >= 5.3.0.1-25.26
  • net-snmp-devel-64bit >= 5.3.0.1-25.26
sle10-sp2-sdk.x86
sles10.ia64
sles10-sp2.s390x
sle10-sp2-sdk.ia64
sles10.s390x
sles9-nld.x86
sles10.ppc
sles10.x86
sles10-sp2.ppc
core9.ppc
sles10-sp2.x86
core9.x86
sle10-sp2-sdk.s390x
core9.s390x
sled10-sp2.x86
sled10-sp2.x86-64
sles10-sp2.x86-64
sle10-sp2-sdk.x86-64
sled10.x86
sled10.x86-64
sle10-sp1-sdk.x86
sle10-sp2-sdk.ppc
core9.s390
core9.ia64
sles10.x86-64
sle10-sp1-sdk.ia64
sle10-sp1-sdk.ppc
core9.x86-64
sles10-sp2.ia64
sles9-nld.x86-64
sles9-nlpos.x86
sles9-oes.x86
sle10-sp1-sdk.x86-64
sle10-sp1-sdk.s390x
ZYPP Patch Nr: 5422
Novell Linux Desktop 9 for x86
Novell Linux Desktop 9 for x86_64
Open Enterprise Server
  • net-snmp >= 5.1.3.1-0.22
  • net-snmp-devel >= 5.1.3.1-0.22
  • perl-SNMP >= 5.1.3.1-0.22
sle10-sp2-sdk.x86
sles10.ia64
sles10-sp2.s390x
sle10-sp2-sdk.ia64
sles10.s390x
sles9-nld.x86
sles10.ppc
sles10.x86
sles10-sp2.ppc
core9.ppc
sles10-sp2.x86
core9.x86
sle10-sp2-sdk.s390x
core9.s390x
sled10-sp2.x86
sled10-sp2.x86-64
sles10-sp2.x86-64
sle10-sp2-sdk.x86-64
sled10.x86
sled10.x86-64
sle10-sp1-sdk.x86
sle10-sp2-sdk.ppc
core9.s390
core9.ia64
sles10.x86-64
sle10-sp1-sdk.ia64
sle10-sp1-sdk.ppc
core9.x86-64
sles10-sp2.ia64
sles9-nld.x86-64
sles9-nlpos.x86
sles9-oes.x86
sle10-sp1-sdk.x86-64
sle10-sp1-sdk.s390x
ZYPP Patch Nr: 5422