Toll Free US: +1 888 720 9500 | Intl: +1 925 924 9500
+1 800 443 6694 (alternative number)

AdventNet products are free from the CERT Vulnerability issue (VU#878044)

The US-CERT (United States Computer Emergency Readiness Team) has described an SNMPv3 Authentication vulnerability in their Vulnerability Note VU#878044.

In the description, they have given the following;

"SNMP can be configured to utilize version 3, which is the current standard version of SNMP. SNMPv3 incorporates security features such as authentication and privacy control among other features. Authentication for SNMPv3 is done using keyed-Hash Message Authentication Code (HMAC), a message authentication code calculated using a cryptographic hash function in combination with a secret key. Implementations of SNMPv3 may allow a shortened HMAC code in the authenticator field to authenticate to an agent or a trap daemon using a minimum HMAC of 1 byte."

With regard to our AdventNet SNMP products, namely

AdventNet SNMP API Java Edition
AdventNet SNMP Agent Toolkit Java Edition
AdventNet SNMP Agent Toolkit C Edition
AdventNet Simulation Toolkit
AdventNet SNMP Utilities
AdventNet Agent Tester
AdventNet SNMP Adaptor for JMX
AdventNet Web NMS

We would like to state that the products DO NOT have the above mentioned authentication vulnerability at all, because the products have already checked for the correct length of the HMAC code. A packet with a shortened HMAC code in the authenticator field, is altogether dropped and appropriate error is notified. So, this vulnerability issue (VU#878044) is not present in any of our AdventNet products. Hence there is no specific action to be taken by the users of AdventNet products, with regard to this vulnerability issue.

Please feel free to contact us for any clarification.

References:

oCERT Advisory http://www.ocert.org/advisories/ocert-2008-006.html
US-CERT -- Vulnerability Note VU#878044 -- SNMPv3 improper HMAC validation allows authentication bypass http://www.kb.cert.org/vuls/id/878044
US-CERT -- SNMPv3 Authentication Bypass vulnerability -- http://www.us-cert.gov/cas/techalerts/TA08-162A.html

Enterprise Management & Security Products
Active Directory Management Active Directory Auditing Application Monitoring Asset Management Customer Support Software Desktop Management EventLog Analyzer Facilities Management Firewall Analyzer Free Active Directory Tools Free Windows Tools Help Desk Software Load Testing MSP Platform MSP Help Desk Software	Network Configuration Management Network Monitoring Network Security Scanner with Patch Management OS Deployment Password Management Self-Service Password Management Storage Management Software Switch Port & IP Address Management Traffic Analysis & Network Forensics VoIP Monitoring WiFi Manager Website Monitoring (SaaS)

Downloads

Forums

View All Forums

Product List

Active Directory Management
Active Directory Auditing
Application Monitoring
Asset Management
Customer Support Software
Desktop Management
EventLog Analyzer

Facilities Management
Firewall Analyzer
Free Active Directory Tools
Free Windows Tools
Help Desk Software
Load Testing
MSP Platform

MSP Help Desk Software
Network Configuration Management
Network Monitoring
Network Security Scanner with Patch Management
OS Deployment
Password Management

Self-Service Password Management
Storage Management Software
Switch Port & IP Address Management
Traffic Analysis & Network Forensics
VoIP Monitoring
WiFi Manager Website Monitoring (SaaS)