'Antw: Username existence disclosure from Agent'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       net-snmp-coders
Subject:    Antw: Username existence disclosure from Agent
From:       "Ulrich Windl" <Ulrich.Windl () rz ! uni-regensburg ! de>
Date:       2017-05-08 6:04:35
Message-ID: 59100A73020000A1000261F2 () gwsmtp1 ! uni-regensburg ! de
[Download RAW message or body]

> > > Madhusudhana R <madhusudhana.r@in.abb.com> schrieb am 05.05.2017 um 11:16 in
Nachricht
<DB4PR06MB41239E1A802B6A266FFCB8AB0EB0@DB4PR06MB412.eurprd06.prod.outlook.com>:
> Hi Coders,
> 
> Regarding a security related finding...
> 
> When incorrect username is provided from manager (ManageEngine tool), the 
> manager throws "Discovery failed for username" which could be used by an 
> attacker to know whether user exists or not.
> 
> I did a workaround and came up with fix.
> 
> Please let me know if this fix is appropriate or not.
> 
> In file snmpusm.c, in function usm_process_in_msg() and below code snippet, 
> I changed the return value from SNMPERR_USM_UNKNOWNSECURITYNAME to 
> SNMPERR_USM_GENERICERROR
> with which the error in Manager changed to "Timesync failure" for incorrect 
> username.

IMHO. The gain of guessing a user name is not a significant problem as the password \
is what really protects the account. In any case an error like "Timesync failure" for \
a bad user name is cleasrly to be rejected.

Ulrich


> 
> /*
> * Locate the User record.
> * If the user/engine ID is unknown, report this as an error.
> */
> if ((user = usm_get_user_from_list(secEngineID, *secEngineIDLen,
> secName, userList,
> (((sess && sess->isAuthoritative ==
> SNMP_SESS_AUTHORITATIVE) ||
> (!sess)) ? 0 : 1)))
> == NULL) {
> DEBUGMSGTL(("usm", "Unknown User(%s)\n", secName));
> snmp_increment_statistic(STAT_USMSTATSUNKNOWNUSERNAMES);
> return SNMPERR_USM_GENERICERROR;
> }
> 
> Thanks & Regards,
> Madhu





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic