Using NetSNMP with SNMPv3 USM and VACM

We just released Unbrowse SNMP 1.5 today ! 

R1.5 features support for managing SNMPv3 users and views in a very easy to use manner. You do not have to worry about underlying MIB tables and such. Everything is visual, including management of MIB views.

A few people have expressed a desire to use Unbrowse to work with USM and VACM in Net-SNMP based agents. We already talked in detail about an issue with Net-SNMP (Release 5.4) and VACM in this post.

We submitted two patches to the Net-SNMP open source project. It may take a while for them to get accepted. In the meantime, please apply these patches yourself.

Please leave a comment here (or email us ) if you want help with applying these patches.

[tags] snmpv3, USM, VACM, security, Net-SNMP [/tags]

Getting netsnmp ready for VACM

We are working on some cool SNMPv3 security features for the upcoming Unbrowse SNMP R1.5 release. Among other things, you can create users, restrict their access, change their passwords, just as you would a on your website or computer. All gory details of USM / VACM are hidden away.

I was running some tests with our beta build against a net-snmp server on a Fedora (FC5) box. I found several issues before getting netsnmp to respond to VACM correctly.  I hope this post helps folks who want to move completely to SNMPv3 (completely disabling the insecure SNMPv1 and SNMPv2).

Continue reading “Getting netsnmp ready for VACM”

IP Option Vulnerability in Cisco IOS – Update now !

Cisco released three security advisories for its IOS platform two days back. See Tech Lounge, Tao Security, The Register, for more coverage. Note: These affect almost all 12.0, 12.1, 12.2 of IOS routers.

  • Malformed TCP Packets (denial of service). Specially crafted TCP packets can leak small amount of memory, which over time can result in a DoS.
  • IPv6 Routing Header (crashes IOS !). Only if IPv6 has been enabled, this is a bug when source routing is enabled.
  • *serious*  IP Option vulnerability (can execute arbitrary code). A specially crafted IP options packet can compromise the router.

All three are triggered by a malformed packet. These packets can contain spoofed  addresses, so a traditional ACL may not be effective.

Of the three, the third is obviously the most serious. Security watchers are reporting that there is a lot of interest in underground forums about how to exploit the third one.

“These are serious issues and patches need to be applied as soon as possible,” said Gunter Ollmann, director of security strategy for IBM Internet Security Systems. “From our monitoring of underground channels there are a lot of people interested in these and actively working on exploits.”

So what is an IP option ?

For those who are not familiar with it, here is a sample IP option viewed using Unsniff Network Analyzer. IP options are extensions to the standard IPv4 header to implement some additional functionality.

ipoptions.jpg

What you see in the picture is a “Record route option”. You can append other options after it, and close with an “End” option (Identified by code 00).

[tags] cisco , security, ip options, unsniff [/tags]