Security Advisory - SNMP vulnerability on Huawei multiple products
- SA No:Huawei-SA-20121025-01
- Initial Release Date: Oct 25, 2012
- Last Release Date: Mar 18, 2013
In some of Huawei products as affected products list below, there are MIBs which support the query of the local user account and password. However, the security authentication protection for SNMP V1 and V2 is not enough, which leads to the risk that the user account and password can be disclosed through SNMP (HWNSIRT-2012-1017).
This Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2012-3268.
|
Product name |
Solved version |
Solved time |
|
S2300/S2700/S3300/S3700 |
V100R006C03 |
06-27-2012 |
|
S3300HI/S5300HI/S5300/S5306/ |
V200R001C00SPC300 |
07-31-2012 |
|
AR1200/ AR2200/ AR3200 |
Release version: |
07-06-2012 |
|
Eudemon1000E-X/USG5500 |
V300R001C00SPC500 |
07-10-2012 |
|
E200E-C/F&X3&X5&X7/USG2200&5100 |
V300R001C00SPC500 |
07-10-2012 |
|
E200E-B&X1&X2/USG2100/ EGW2100&2200&3200 |
V300R001C00SPC500 |
07-10-2012 |
|
SVN2200&5500 series |
V200R001C01SPC200 |
07-31-2012 |
|
NIP2100&2200&5100 |
V100R001C01SPC200 |
09-13-2012 |
|
ATN |
V200R001C02 |
10-19-2012 |
|
NE5000E |
V800R003C00SPC600 |
02-28-2013 |
|
NE40E&80E |
V600R005C00SPCB00 |
12-07-2012 02-01-2013 02-05-2013 |
|
ME60 |
V600R005C00SPCB00 |
12-07-2012 02-01-2012 |
|
CX600 |
V600R005C00SPCB00 |
12-07-2012 01-22-2013 02-05-2013 |
|
NE20E-X6 |
patch:V600R003SPH017 |
02-05-2013 |
|
UGW9811/GGSN9811 |
patch:V900R009C01HP0003 |
01-23-2013 |
|
PDSN9660 |
patch:V900R007C05SPH312 |
03-07-2013 |
The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).
Base Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)
Temporal Score: 7.3 (E:F/RL:OF/RC:C)1. Prerequisite:
Must have an SNMP community string and have the access to the device;
2. Attacking procedure:
Access the relevant MIB by snmp specified operation to obtain the local user account and password.Note: If the NMS has been deployed, exercise caution when checking whether the following preventive measures have an impact on NMS functions.
The following workarounds are only applicable to the products of NE5000E/ MA5200G / NE40E&80E/ATN/NE40&80/NE20E-X6/NE20/ME60/CX600/CX200&CX300/MAG9811. For the workarounds of the other involving products, please refer to the Configuration Guide.
1.It is suggested to disable the SNMP function (the function of SNMP is disabled by default on Huawei devices). Or do not define local users, use RADIUS or HWTACACS.
Query the status of SNMP and SNMP agent is not enabled.
[HUAWEI]display snmp-agent sys-info
2.When Huawei devices enable SNMP, the default version to be used is V3. It is not suggested to use V1 and V2.
Query the status of SNMP:
[HUAWEI]display snmp-agent sys-info
If the query result is displayed as:
SNMP version running in the system:
SNMPv1 SNMPv2c SNMPv3
Disable SNMP V1/V2:
[HUAWEI]undo snmp-agent sys-info version v1 v2c
3.If SNMP V1/V2 protocol is applied, it is needed to block SNMP V1/V2 by using access controls or firewalls;
The configuration example:
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule 5 permit source 1.1.1.2 0.0.0.0
[HUAWEI-acl-basic-2001] rule 6 deny source 1.1.1.1 0.0.0.0
[HUAWEI-acl-basic-2001] quit
[HUAWEI] snmp-agent community read cipher security-read mib-view userinfo acl 2001
[HUAWEI] snmp-agent community write cipher security-write mib-view userinfo acl 2001
Note: The above-mentioned community names are just used as examples. For the actual configuration, the community names with high complexity are needed.
4.If SNMP V1/V2 protocol is applied, it is suggested to disable the SNMP V1/V2 mib entries for querying user account;
The configuration example:
[HUAWEI] snmp-agent mib-view include userinfo internet
[HUAWEI] snmp-agent mib-view excluded userinfo snmpUsmMIB
[HUAWEI] snmp-agent mib-view excluded userinfo snmpVacmMIB
[HUAWEI] snmp-agent mib-view excluded userinfo hwLocalUserTable
[HUAWEI] snmp-agent mib-view excluded userinfo hwCfgOperateTable
[HUAWEI] snmp-agent mib-view excluded userinfo hwCollectTable
[HUAWEI] snmp-agent community read cipher security-read mib-view userinfo
[HUAWEI] snmp-agent community write cipher security-write mib-view userinfo
Note: Before performing step 4, confirm with the NMS (Network Management Station) provider that disabling MIB nodes does not affect the NMS services. If disabling a MIB node affects the NMS services, do not run the snmp-agent mib-view excluded userinfo xxx command for this node.Note: If the NMS has been deployed, exercise caution when checking whether the following preventive measures have an impact on NMS functions.
The following workarounds are only applicable to the products of NE5000E/ MA5200G / NE40E&80E/ATN/NE40&80/NE20E-X6/NE20/ME60/CX600/CX200&CX300/MAG9811. For the workarounds of the other involving products, please refer to the following Configuration Guide, the download link is:
1.It is suggested to disable the SNMP function (the function of SNMP is disabled by default on Huawei devices). Or do not define local users, use RADIUS or HWTACACS.
Query the status of SNMP and SNMP agent is not enabled.
[HUAWEI]display snmp-agent sys-info
2.When Huawei devices enable SNMP, the default version to be used is V3. It is not suggested to use V1 and V2.
Query the status of SNMP:
[HUAWEI]display snmp-agent sys-info
If the query result is displayed as:
SNMP version running in the system:
SNMPv1 SNMPv2c SNMPv3
Disable SNMP V1/V2:
[HUAWEI]undo snmp-agent sys-info version v1 v2c
3.If SNMP V1/V2 protocol is applied, it is needed to block SNMP V1/V2 by using access controls or firewalls;
The configuration example:
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule 5 permit source 1.1.1.2 0.0.0.0
[HUAWEI-acl-basic-2001] rule 6 deny source 1.1.1.1 0.0.0.0
[HUAWEI-acl-basic-2001] quit
[HUAWEI] snmp-agent community read cipher security-read mib-view userinfo acl 2001
[HUAWEI] snmp-agent community write cipher security-write mib-view userinfo acl 2001
Note: The above-mentioned community names are just used as examples. For the actual configuration, the community names with high complexity are needed.
4.If SNMP V1/V2 protocol is applied, it is suggested to disable the SNMP V1/V2 mib entries for querying user account;
The configuration example:
[HUAWEI] snmp-agent mib-view include userinfo internet
[HUAWEI] snmp-agent mib-view excluded userinfo snmpUsmMIB
[HUAWEI] snmp-agent mib-view excluded userinfo snmpVacmMIB
[HUAWEI] snmp-agent mib-view excluded userinfo hwLocalUserTable
[HUAWEI] snmp-agent mib-view excluded userinfo hwCfgOperateTable
[HUAWEI] snmp-agent mib-view excluded userinfo hwCollectTable
[HUAWEI] snmp-agent community read cipher security-read mib-view userinfo
[HUAWEI] snmp-agent community write cipher security-write mib-view userinfo
Note: Before performing step 4, confirm with the NMS (Network Management Station) provider that disabling MIB nodes does not affect the NMS services. If disabling a MIB node affects the NMS services, do not run the snmp-agent mib-view excluded userinfo xxx command for this node.
Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades, or obtain them through Huawei worldwide website at http://support.huawei.com/support/. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm.
This vulnerability is found by Kurt Grutzmacher. The Huawei PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
Huawei express our appreciation for Kurt Grutzmacher’s concerns on Huawei products.For security problems about Huawei products and solutions, please contact PSIRT@huawei.com.
For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.
2012-10-25 V1.0 INITIAL
2012-11-13 V1.1 UPDATED update the affected version and temporary fix
2012-11-24 V1.2 UPDATED update the temporary fix
2013-01-05 V1.3 UPDATED update the affected version, temporary fix and software fixes
2013-03-18 V1.4 UPDATED update the software fixesNone
