On 5/8/17, Ulrich Windl <ulrich.wi...@rz.uni-regensburg.de> wrote: >>>> Madhusudhana R <madhusudhan...@in.abb.com> schrieb am 05.05.2017 um >>>> 11:16 in > Nachricht > <db4pr06mb41239e1a802b6a266ffcb8ab0...@db4pr06mb412.eurprd06.prod.outlook.com>: >> Hi Coders, >> >> Regarding a security related finding... >> >> When incorrect username is provided from manager (ManageEngine tool), the >> >> manager throws "Discovery failed for username" which could be used by an >> attacker to know whether user exists or not. >> >> I did a workaround and came up with fix. >> >> Please let me know if this fix is appropriate or not. >> >> In file snmpusm.c, in function usm_process_in_msg() and below code >> snippet, >> I changed the return value from SNMPERR_USM_UNKNOWNSECURITYNAME to >> SNMPERR_USM_GENERICERROR >> with which the error in Manager changed to "Timesync failure" for >> incorrect >> username. > > IMHO. The gain of guessing a user name is not a significant problem as the > password is what really protects the account. In any case an error like > "Timesync failure" for a bad user name is cleasrly to be rejected.
Probably not a significant problem, but still, you're not supposed to allow enumerating userids. eg. https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Authentication_and_Error_Messages Correct Response Example "Login failed; Invalid userID or password" The correct response does not indicate if the user ID or password is the incorrect parameter and hence inferring a valid user ID. Would SNMPERR_USM_AUTHENTICATIONFAILURE be the appropriate status to return for an invalid userid or password? Regards, Lee > > Ulrich > > >> >> /* >> * Locate the User record. >> * If the user/engine ID is unknown, report this as an error. >> */ >> if ((user = usm_get_user_from_list(secEngineID, *secEngineIDLen, >> secName, userList, >> (((sess && sess->isAuthoritative >> == >> SNMP_SESS_AUTHORITATIVE) || >> (!sess)) ? 0 : 1))) >> == NULL) { >> DEBUGMSGTL(("usm", "Unknown User(%s)\n", secName)); >> snmp_increment_statistic(STAT_USMSTATSUNKNOWNUSERNAMES); >> return SNMPERR_USM_GENERICERROR; >> } >> >> Thanks & Regards, >> Madhu > > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Net-snmp-coders mailing list > Net-snmp-coders@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
