Security Advisory-SNMP vulnerability on Huawei multiple products
advertisement
News Start Security Advisory-SNMP vulnerability on Huawei multiple products SA No: Huawei-SA-20121025-01 Release Date: 2012-11-13 summary In some of Huawei products as affected products list below, there are MIBs which support the query of the local user account and password. However, the security authentication protection for SNMP V1 and V2 is not enough, which leads to the risk that the user account and password can be disclosed through SNMP. (HWNSIRT-2012-1017) Affected Products Router series products NE5000E MA5200G NE40E&80E V300R007 V800R002, V800R003 V200R003 V300R003 V300R003 V600R001, V600R002, V600R003 ATN V200R001C00, V200R001C01 NE40&80 V300R005 NE20E-X6 V600R003 NE20 V200R005 V100R005, V100R006 ME60 V600R002, V600R003, V600R005C00SPC600 CX600 CX200&CX300 V200R002 V600R001, V600R002, V600R003 V100R005 AR150&200 V200R002C00 AR1200/ AR2200/ AR3200 V200R001, V200R002C00 AR200-S V200R002C00 AR1200-S&2200-S V200R001, V200R002C00 AR19/29/49 R2209 and earlier AR 28/46 R0311 and earlier AR 18-3x R0118 and earlier AR 18-2x R1712 and earlier AR18-1x R0130 and earlier Switch series products S9700 S9300 V200R001 V100R001,V100R002,V100R003,V100R006 V200R001 S8500 R1652 and earlier S7800 R6x05 and earlier S7700 V100R003,V100R006 V200R001 S6700 V100R006 S6500 R3234 and earlier S3300HI/S5300HI/S5306/S6300 S2700/S3700/S5700 S2300/S3300/S5300 V100R006 V200R001 V100R005,V100R006 V200R001 V100R002, V100R003, V100R005, V100R006 Firewall/Gateway series products Eudemon8000E-X/USG9500 V200R001C00SPC600 and earlier Eudemon8080E&8160E/USG9300 V100R003C00 and earlier Eudemon1000E-X/USG5500 V200R002 and earlier Eudemon1000E-U/USG5300 V200R001 and earlier USG5300(including DDOS version) V100R005C00 E200E-C&X3&X5&X7/USG2200&5100 V200R003C00 and earlier E200E-B&X1&X2/USG2100/ EGW2100&2200&3200 V100R005C01 and earlier Eudemon300&500&1000 V200R006C02 and earlier Eudemon100E V200R007 Eudemon200 V200R001 SRG1200&2200&3200 V100R002C02 SRG1201 V100R002C05 SVN5300 V100R001C01B019 SVN2000&5000 V200R001C00 SVN3000 V100R002C02SPC802B041 NIP2100&2200&5100 V100R001C00 Wireless series products SGSN9810 V900R010 USN9810 V900R001 V900R011 CG9812 V500R005C25/C27 GGSN9811 V900R007C01/C02/C03 V900R008C00/C01 UGW9811 V900R001C03/C05 V900R009C00/C01/C02 PDSN9960 V900R007C02/C03/C05/C06 HA9661 V900R007C06 WASN9770 V300R003C02 MAG9811 V100R001C00 Impact Attackers can obtain the local user account and password. Vulnerability Scoring Details The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/). Base Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) Temporal Score: 7.3 (E:F/RL:OF/RC:C) Technique Details 1. Prerequisite: Must have an SNMP community string and have the access to the device; 2. Attacking procedure: Access the relevant MIB by snmp specified operation to obtain the local user account and password. Temporary Fix The following workarounds are only applicable to the products of NE5000E/ MA5200G / NE40E&80E/ATN/NE40&80/NE20E-X6/NE20/ME60/CX600/CX200&CX300/MAG9811. For the workarounds of the other involving products, please refer to the following Configuration Guide, the download link is: http://support.huawei.com/enterprise/NewsReadAction.action?newType=0301&conte ntId=NEWS1000001151&idAbsPath=0301_10001&nameAbsPath=Services%2520Ne ws 1.It is suggested to disable the SNMP function (the function of SNMP is disabled by default on Huawei devices). Or do not define local users, use RADIUS or HWTACACS. Query the status of SNMP and SNMP agent is not enabled. [HUAWEI]display snmp-agent sys-info 2.When Huawei devices enable SNMP, the default version to be used is V3. It is not suggested to use V1 and V2. Query the status of SNMP: [HUAWEI]display snmp-agent sys-info If the query result is displayed as: SNMP version running in the system: SNMPv1 SNMPv2c SNMPv3 Disable SNMP V1/V2: [HUAWEI]undo snmp-agent sys-info version v1 v2c 3.If SNMP V1/V2 protocol is applied, it is needed to block SNMP V1/V2 by using access controls or firewalls; The configuration example: [HUAWEI] acl 2001 [HUAWEI-acl-basic-2001] rule 5 permit source 1.1.1.2 0.0.0.0 [HUAWEI-acl-basic-2001] rule 6 deny source 1.1.1.1 0.0.0.0 [HUAWEI-acl-basic-2001] quit [HUAWEI] snmp-agent community read cipher security-read mib-view userinfo acl 2001 [HUAWEI] snmp-agent community write cipher security-write mib-view userinfo acl 2001 Note: The above-mentioned community names are just used as examples. For the actual configuration, the community names with high complexity are needed. 4.If SNMP V1/V2 protocol is applied, it is suggested to disable the SNMP V1/V2 mib entries for querying user account; The configuration example: [HUAWEI] snmp-agent mib-view include userinfo internet [HUAWEI] snmp-agent mib-view excluded userinfo snmpUsmMIB [HUAWEI] snmp-agent mib-view excluded userinfo snmpVacmMIB [HUAWEI] snmp-agent mib-view excluded userinfo hwLocalUserTable [HUAWEI] snmp-agent mib-view excluded userinfo hwCfgOperateTable [HUAWEI] snmp-agent mib-view excluded userinfo hwCollectTable [HUAWEI] snmp-agent community read cipher security-read mib-view userinfo [HUAWEI] snmp-agent community write cipher security-write mib-view userinfo Note: Before performing step 4, confirm with the NMS (Network Management Station) provider that disabling MIB nodes does not affect the NMS services. If disabling a MIB node affects the NMS services, do not run the snmp-agent mib-view excluded userinfo xxx command for this node. Software Versions and Fixes To be updated Obtaining Fixed Software To be updated Contact Channel for Technique Issue PSIRT@huawei.com Revision History Initial version 1.0 25/10/2012 Updated version 2.0 13/11/2012 Updated version 3.0 24/11/2012 Exploitation and Vulnerability Source This vulnerability is found by Kurt Grutzmacher. The Huawei PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. Huawei express our appreciation for Kurt Grutzmacher’s concerns on Huawei products. Declaration This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei Investment & Holding Co., Ltd. or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time. The information and data embodied in this document and any attachment are strictly confidential information of Huawei and are supplied on the understanding that they will be held confidentially and not disclosed to third parties without the prior written consent of Huawei. You shall use all reasonable efforts to protect the confidentiality of information. In particular, you shall not directly or indirectly disclose, allow access to, transmit or transfer the information to a third party without our prior written consent. Thank for your co-operation. Huawei Security Procedures Contact us through PSIRT@huawei.com if you need to: 1. Provide feedback on security vulnerability of Huawei products. 2. Get support for Huawei security emergency response services. 3. Obtain Huawei security vulnerability information. News End
