The Simple Network Management Protocol (SNMP) embedded in some Internet connected devices allows an attacker to bypass authentication by simply sending random values in specific requests, security researchers have discovered.
SNMP is a popular protocol for network management that features support for three ways to authenticate the client and requests on remote SNMP devices. The first two of these are vulnerable to an authentication bypass if random values are sent in requests, security researchers Ezequiel Fernandez (Argentina) and Bertin Bervis (Costa Rica) argue.
The issue, the researchers say, resides in the manner in which the SNMP agent in different devices (usually cable modems) handles a human-readable string datatype value called “community string” that SNMP version 1 and 2 use.
Called StringBleed and tracked as CVE 2017-5135, the vulnerability is referred to as Incorrect Access Control and could allow an attacker to execute code remotely on the vulnerable device. Successful exploitation would provide them with “full read/write remote permissions using any string/integer value,” the researchers argue.
With the help of a python script meant to build a “snmpget” request that used the sysDescr OID, the researchers started searching the Internet for devices that would respond to the request. The researchers were looking to retrieve the sysDescr OID information successfully when the test string value (admin, root, user, etc) was the same as the one stored in the SNMP agent for authentication.
The script was supposedly going to work as a type of brute force, the researchers say, but the results were surprising, as some of the discovered devices would respond to the request regardless of the used value.
“SNMP version 1 and 2 authentication should only accept the value stored in the SNMP agent authentication mechanism,” the researchers note. However, their testing revealed that an attacker could use any value string or integer to authenticate the SNMP agent successfully on specific device types.
The bug was initially discovered on the CISCO DPC3928SL wireless residential gateway, which is now owned by Technicolor, and which confirmed the bug, but said it was only a “control misconfiguration issue” and that it was isolated to a single Internet Service Provider (ISP).
The researchers, however, claim that the manufacturer is at fault and that the issue is more widespread. According to them, attackers could easily execute code or leak passwords and other sensitive information from vulnerable devices pertaining to several vendors.
In a post on Reddit, one of the researchers revealed that 78 vulnerable models were found to date, and also said that continuous scans might reveal more of them.