SNMP Authentication Bypass

The SNMP(Simple Network Management Protocol) embedded in many Internet connected devices allows the attackers to bypass the authentication by jsut sending random values in the requests, security researchers have found.

The SNMP is a very popular protocol for the network management which features support for three ways to authenticate client and requests on the remote SNMP devices. The first two of these three are vulnerable to an authentication which can be bypassed if random values are sent in the requests, the security researchers Bertin Bervis (Costa Rica) and Ezequiel Fernandez (Argentina) argue.

This issue, the researchers say that it resides in the manner in which SNMP agent in different devices handles a datatype of human-readable string value called the “community string” which SNMP version 1 and 2 use.

Called the StringBleed and tracked as the CVE 2017-5135, this vulnerability is referred to as the Incorrect Access Control and also could allow attacker to execute a code remotely on vulnerable device. A successful exploitation would provide them with the “full read/write remote permissions using any integer/string value,” the researchers argue.

With the help of a script in python meant to build a the “snmpget” request which used sysDescr OID, the researchers started searching Internet for devices which would respond to the request. Researchers were looking to retrieve sysDescr OID information successfully when test string value (admin, root, user, etc) was same as the one which is stored in SNMP agent for authentication.

The script was supposedly going to work as a type of brute force, the researchers say, but the results were surprising, as some of the discovered devices would respond to the request regardless of the used value.

“SNMP version 1 and 2 authentication should only accept the value stored in the SNMP agent authentication mechanism,” the researchers note. However, their testing revealed that an attacker could use any value string or integer to authenticate the SNMP agent successfully on specific device types.