Hi Coders,
Regarding a security related finding...
When incorrect username is provided from manager (ManageEngine tool), the
manager throws "Discovery failed for username" which could be used by an
attacker to know whether user exists or not.
I did a workaround and came up with fix.
Please let me know if this fix is appropriate or not.
In file snmpusm.c, in function usm_process_in_msg() and below code snippet, I
changed the return value from SNMPERR_USM_UNKNOWNSECURITYNAME to
SNMPERR_USM_GENERICERROR
with which the error in Manager changed to "Timesync failure" for incorrect
username.
/*
* Locate the User record.
* If the user/engine ID is unknown, report this as an error.
*/
if ((user = usm_get_user_from_list(secEngineID, *secEngineIDLen,
secName, userList,
(((sess && sess->isAuthoritative ==
SNMP_SESS_AUTHORITATIVE) ||
(!sess)) ? 0 : 1)))
== NULL) {
DEBUGMSGTL(("usm", "Unknown User(%s)\n", secName));
snmp_increment_statistic(STAT_USMSTATSUNKNOWNUSERNAMES);
return SNMPERR_USM_GENERICERROR;
}
Thanks & Regards,
Madhu
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
