CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
EPSS
Percentile
68.8%
HP/H3C and Huawei networking equipment contains a vulnerability which could allow an attacker to access administrative functions of the device using systems network management protocol (SNMP) requests.
According to the researcher’s report.:
"HP/H3C and Huawei networking equipment suffers from a serious weakness in regards to their handling of Systems Network Management Protocol (SNMP) requests for protected h3c-user.mib and hh3c-user.mib objects.
_Details
Huawei/H3C have two OIDs, ‘old’ and ‘new’:
old: 1.3.6.1.4.1.2011.10
new: 1.3.6.1.4.1.25506
Most devices support both formats.
The MIBs h3c-user.mib and hh3c-user.mib, for the purpose of this document, will be referred to as (h)h3c-user.mib. This MIB defines the internal table and objects to “Manage configuration and Monitor running state for userlog feature.”
This means there are some cool objects with data in this MIB penetration testers or malicious actors would want to get their dirty little hands on. Most objects are only accessible with the read/write community string.
In the revision history of (h)h3c-user.mib, version 2.0 modified the MAX-ACCESS from read-only to read-create the following objects within the (h)h3cUserInfoEntry sequence:
(h)h3cUserName
(h)h3cUserPassword
(h)h3cAuthMode
(h)h3cUserLevel
The purpose of these objects are to provide the locally configured users to those with a valid SNMP community. After the change only those with the read-write community string should have access, however this was not the case and the code still retained the earlier access of read-only.
So if you have the SNMP public community string then you have the ability to view these entries."_
Additional information can be found in the researcher’s report
A remote unauthenticated attacker can access administrative functions of the device using systems network management protocol (SNMP) requests.
Update
HP: Customers are advised to check HP’s SSRT100962 support document for instructions.
Huawei Security Advisory states: “On Oct. 19, Huawei PSIRT noticed the media report titled “Demo of “serious” networking vulnerabilities cancelled at HP’s request-Saturday’s Toorcon talk was to discuss risks posed by gear from H3C and Huawei” . Huawei PSIRT responded immediately and proactively coordinate Kurt Grutzmacher, US-CERT, CERT/CC and CNCERT to handle the issue. On Oct. 24, Huawei PSIRT finally acquired the technical details of the vulnerabilities from the public channel of US-CERT and launched shortly the vulnerability analysis and investigation to develop the mitigation measures. The first version of “SNMP vulnerability on Huawei multiple products” SA was released on Oct. 25. The investigation is still ongoing. Huawei PSIRT will keep updating the SA. Please refer to the above link.”
According to the researcher’s report:
_"By itself this is already bad but most users who do any of the following may already be protected:
Use complex SNMP community strings or disable SNMPv1
Have disabled the mib entries for (h)h3c-user
Block SNMP using access controls or firewalls
Do not define local users, use RADIUS or TACACS+
More specific routines can be found in the vendor’s release."_
225404
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: August 06, 2012 Updated: October 24, 2012
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: October 26, 2012
Affected
On Oct. 19, Huawei PSIRT noticed the media report titled mo of “serious” networking vulnerabilities cancelled at HP’s request-Saturday’s Toorcon talk was to discuss risks posed by gear from H3C and Huawei” . Huawei PSIRT responded immediately and proactively coordinate Kurt Grutzmacher, US-CERT, CERT/CC and CNCERT to handle the issue. On Oct. 24, Huawei PSIRT finally acquired the technical details of the vulnerabilities from the public channel of US-CERT and launched shortly the vulnerability analysis and investigation to develop the mitigation measures. The first version of “SNMP vulnerability on Huawei multiple products” SA was released on Oct. 25. The investigation is still ongoing. Huawei PSIRT will keep updating the SA. Please refer to the above link.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 06, 2012 Updated: August 06, 2012
Unknown
We have not received a statement from the vendor.
Group | Score | Vector |
---|---|---|
Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Temporal | 7.7 | E:F/RL:OF/RC:C |
Environmental | 7.7 | CDP:MH/TD:H/CR:ND/IR:ND/AR:ND |
Thanks to Kurt Grutzmacher for reporting this vulnerability.
This document was written by Michael Orlando.
CVE IDs: | CVE-2012-3268 |
---|---|
Date Public: | 2012-10-23 Date First Published: |
grutztopia.jingojango.net/2012/10/hph3c-and-huawei-snmp-weak-access-to.html
support.huawei.com/enterprise/NewsReadAction.action?newType=0301&contentId=NEWS1000001069&idAbsPath=0301_10001&nameAbsPath=Services%2520News
h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03515685&ac.admitted=1351086123601.876444892.492883150