Ingate Firewall and SIParator affected by SNMPv3 vulnerability

Per Cederqvist ceder@ingate.com
Wed, 11 Jun 2008 16:16:57 +0200


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Product: Ingate Firewall and SIParator
Versions: version 3.1.0 and newer
Tracking ID: 3854

Summary
=======

A vulnerability has been found in the SNMP implementation.  By using a
specially crafted SNMP version 3 package, an attacker can effectively
bypass the authentication of net-snmp.

By default, SNMP is disabled.  Only units where the SNMP subsystem has
been enabled and uses SNMPv3 are vulnerable to this issue.  All
related SNMP settings are available in the GUI on the tab Basic
Settings - SNMP.

Impact
======

An attacker can read configuration and status information from the
firewall.

Due to the way net-snmp is configured on the Ingate Firewall and
SIParator this vulnerability cannot be used to modify settings.

Mitigation
==========

The problem can be mitigated by using the "Servers allowed to contact
the firewall via SNMP" setting, so that it is restricted to the IP
address(es) of your management station(s).  This setting can restrict
access to a set of IP addresses and/or via a certain physical
interface.

The SNMP agent listens to a configurable interface on the Ingate
Firewall and SIParator.  If a non-routeable IP address is used
attackers from the Internet cannot reach the SNMP agent.

It is also possible to turn off the SNMP agent, if you consider the
potential information leak to be more serious than the loss of
monitoring.

Solution
========

Ingate currently plans to solve this issue in the next regular
release, due in Q3 2008.

More information
================

CVE Name: CVE-2008-0960
US-CERT: VU#878044

More information about this vulnerability is available from US-CERT at
http://www.kb.cert.org/vuls/id/878044

Further updates on this issue will be sent to our mailing list
http://lists.ingate.com/mailman/listinfo/productinfo

Further questions regarding this issue can be directed to
support@ingate.com.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFIT8jmTl5zjNKUYI4RAhWfAJ4163CTxBWY0/FwzDrU4SWIMZ9PMwCdHgf/
Klu237Hw7OBHfTRLLgjVhy8=
=cGPU
-----END PGP SIGNATURE-----