[prev in list] [next in list] [prev in thread] [next in thread]
List: net-snmp-coders
Subject: Antw: Username existence disclosure from Agent
From: "Ulrich Windl" <Ulrich.Windl () rz ! uni-regensburg ! de>
Date: 2017-05-08 6:04:35
Message-ID: 59100A73020000A1000261F2 () gwsmtp1 ! uni-regensburg ! de
[Download RAW message or body]
> > > Madhusudhana R <madhusudhana.r@in.abb.com> schrieb am 05.05.2017 um 11:16 in
Nachricht
<DB4PR06MB41239E1A802B6A266FFCB8AB0EB0@DB4PR06MB412.eurprd06.prod.outlook.com>:
> Hi Coders,
>
> Regarding a security related finding...
>
> When incorrect username is provided from manager (ManageEngine tool), the
> manager throws "Discovery failed for username" which could be used by an
> attacker to know whether user exists or not.
>
> I did a workaround and came up with fix.
>
> Please let me know if this fix is appropriate or not.
>
> In file snmpusm.c, in function usm_process_in_msg() and below code snippet,
> I changed the return value from SNMPERR_USM_UNKNOWNSECURITYNAME to
> SNMPERR_USM_GENERICERROR
> with which the error in Manager changed to "Timesync failure" for incorrect
> username.
IMHO. The gain of guessing a user name is not a significant problem as the password \
is what really protects the account. In any case an error like "Timesync failure" for \
a bad user name is cleasrly to be rejected.
Ulrich
>
> /*
> * Locate the User record.
> * If the user/engine ID is unknown, report this as an error.
> */
> if ((user = usm_get_user_from_list(secEngineID, *secEngineIDLen,
> secName, userList,
> (((sess && sess->isAuthoritative ==
> SNMP_SESS_AUTHORITATIVE) ||
> (!sess)) ? 0 : 1)))
> == NULL) {
> DEBUGMSGTL(("usm", "Unknown User(%s)\n", secName));
> snmp_increment_statistic(STAT_USMSTATSUNKNOWNUSERNAMES);
> return SNMPERR_USM_GENERICERROR;
> }
>
> Thanks & Regards,
> Madhu
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic