Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

SNMP Authentication Bypass Plagues Numerous Devices

The Simple Network Management Protocol (SNMP) embedded in some Internet connected devices allows an attacker to bypass authentication by simply sending random values in specific requests, security researchers have discovered.

The Simple Network Management Protocol (SNMP) embedded in some Internet connected devices allows an attacker to bypass authentication by simply sending random values in specific requests, security researchers have discovered.

SNMP is a popular protocol for network management that features support for three ways to authenticate the client and requests on remote SNMP devices. The first two of these are vulnerable to an authentication bypass if random values are sent in requests, security researchers Ezequiel Fernandez (Argentina) and Bertin Bervis (Costa Rica) argue.

The issue, the researchers say, resides in the manner in which the SNMP agent in different devices (usually cable modems) handles a human-readable string datatype value called “community string” that SNMP version 1 and 2 use.

Called StringBleed and tracked as CVE 2017-5135, the vulnerability is referred to as Incorrect Access Control and could allow an attacker to execute code remotely on the vulnerable device. Successful exploitation would provide them with “full read/write remote permissions using any string/integer value,” the researchers argue.

With the help of a python script meant to build a “snmpget” request that used the sysDescr OID, the researchers started searching the Internet for devices that would respond to the request. The researchers were looking to retrieve the sysDescr OID information successfully when the test string value (admin, root, user, etc) was the same as the one stored in the SNMP agent for authentication.

The script was supposedly going to work as a type of brute force, the researchers say, but the results were surprising, as some of the discovered devices would respond to the request regardless of the used value.

“SNMP version 1 and 2 authentication should only accept the value stored in the SNMP agent authentication mechanism,” the researchers note. However, their testing revealed that an attacker could use any value string or integer to authenticate the SNMP agent successfully on specific device types.

The bug was initially discovered on the CISCO DPC3928SL wireless residential gateway, which is now owned by Technicolor, and which confirmed the bug, but said it was only a “control misconfiguration issue” and that it was isolated to a single Internet Service Provider (ISP).

Advertisement. Scroll to continue reading.

The researchers, however, claim that the manufacturer is at fault and that the issue is more widespread. According to them, attackers could easily execute code or leak passwords and other sensitive information from vulnerable devices pertaining to several vendors.

In a post on Reddit, one of the researchers revealed that 78 vulnerable models were found to date, and also said that continuous scans might reveal more of them.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.