Pierluigi Paganini
April 28, 2017
Simple Network Management Protocol (SNMP) authentication bypass affects several IoT devices, hackers could exploit the issue by simply sending random values in specific requests.
The problem, dubbed StringBleed and tracked as CVE 2017-5135, was reported by the security researchers Ezequiel Fernandez and Bertin Bervis.
The SNMP protocol supports three methods for client authentication and to authenticate requests on remote SNMP devices, two of them are affected by the authentication bypass issue.
The StringBleed issue resides in the way SNMP agent in running on differed IoT devices handles a human-readable string datatype value called “community string” that SNMP version 1 and 2 use.
“we know there are 3 ways to authenticate the client and requests in the remote SNMP device, SNMP version 1 & 2 use a human-readable string datatype value called “community string” (usually public or private) in SNMP version 3 you have the option to use a user, password and authentication methods. ” explained the researchers.
The researchers used a simple python script to build a “snmpget” request that used the sysDescr OID, then they started scanning the Internet for devices that would respond to the request. The experts were searching for sysDescr OID information provided by the devices in response to requests using test strings like ‘admin’, ‘root’, and ‘user.’
The researchers were looking to retrieve the sysDescr OID information successfully when the test string value (‘admin’, ‘root’, ‘user, etc.) was the same as the one stored in the SNMP agent for authentication.
“We wrote a simple python script from scratch using sockets in order to build the “snmpget” request, in the request we used the sysDescr OID , if the string value we are testing (admin,root etc etc) is the same stored in the SNMP agent for authentication , we are going to retrieve the sysDescr OID information successfully, is like a kind of “brute force”. After some days of scanning we noticed something weird, some devices/fingerprints were always responding no matter which value we used, so what’s going here??? researchers added.
As I mentioned before, the SNMP version 1 & 2 authentication should only accept the value stored in the SNMP agent authentication mechanism, but the behavior based in our results is not accurate like the statement explained previously.”
The StringBleed vulnerability is an Incorrect Access Control issue, remote attackers could exploit the issue to execute code on the vulnerable devices and gain “full read/write remote permissions using any string/integer value.”
“In few words, we discovered the following: you can use any value string or integer in order to authenticate the SNMP agent successfully in some specific devices, but the worse thing here is : you have full read/write remote permissions using any string/integer value.” said the researchers.
The results of the Internet Scan were disconcerting, an attacker could use any value string or integer to authenticate the SNMP agent on the flawed devices.
The experts discovered the but by testing the attack on the CISCO DPC3928SL wireless residential gateway, which is now owned by Technicolor.
The company confirmed the presence of the StringBleed bug on the device but clarified that it was only a “control misconfiguration issue” and that it was isolated to a single Internet Service Provider (ISP).
According to the experts, the issue is widespread and hackers could easily target exposed on the Internet.
One of the researchers revealed in a discussion on Reddit that 78 vulnerable models were found vulnerable to date to the StringBleed flaw.
Stay Tuned …. the number of models could rapidly increase.
[adrotate banner=”9″]
(Security Affairs – StringBleed , hacking)
[adrotate banner=”13″]
