Hi Lee, Thanks for the response.
If SNMPERR_USM_AUTHENTICATIONFAILURE is used the error turns out to be "authProtocol or authPassword may be wrong" on ManageEngine tool. As I mentioned before, SNMPERR_USM_GENERICERROR we get "Timesync Failure". So this error can get a thought that agent is not running. (apologies if my thinking is so bad!!) Please suggest which return status is more appropriate? Also with either of them, will it affect the system architecture in any way? Thanks. Madhu -----Original Message----- From: Lee [mailto:ler...@gmail.com] Sent: Wednesday, May 10, 2017 5:37 PM To: Ulrich Windl <ulrich.wi...@rz.uni-regensburg.de> Cc: net-snmp-coders@lists.sourceforge.net Subject: Re: Username existence disclosure from Agent On 5/8/17, Ulrich Windl <ulrich.wi...@rz.uni-regensburg.de> wrote: >>>> Madhusudhana R <madhusudhan...@in.abb.com> schrieb am 05.05.2017 um >>>> 11:16 in > Nachricht > <db4pr06mb41239e1a802b6a266ffcb8ab0...@db4pr06mb412.eurprd06.prod.outlook.com>: >> Hi Coders, >> >> Regarding a security related finding... >> >> When incorrect username is provided from manager (ManageEngine tool), >> the >> >> manager throws "Discovery failed for username" which could be used by >> an attacker to know whether user exists or not. >> >> I did a workaround and came up with fix. >> >> Please let me know if this fix is appropriate or not. >> >> In file snmpusm.c, in function usm_process_in_msg() and below code >> snippet, I changed the return value from >> SNMPERR_USM_UNKNOWNSECURITYNAME to SNMPERR_USM_GENERICERROR with >> which the error in Manager changed to "Timesync failure" for >> incorrect username. > > IMHO. The gain of guessing a user name is not a significant problem as > the password is what really protects the account. In any case an error > like "Timesync failure" for a bad user name is cleasrly to be rejected. Probably not a significant problem, but still, you're not supposed to allow enumerating userids. eg. https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Authentication_and_Error_Messages Correct Response Example "Login failed; Invalid userID or password" The correct response does not indicate if the user ID or password is the incorrect parameter and hence inferring a valid user ID. Would SNMPERR_USM_AUTHENTICATIONFAILURE be the appropriate status to return for an invalid userid or password? Regards, Lee > > Ulrich > > >> >> /* >> * Locate the User record. >> * If the user/engine ID is unknown, report this as an error. >> */ >> if ((user = usm_get_user_from_list(secEngineID, *secEngineIDLen, >> secName, userList, >> (((sess && >> sess->isAuthoritative == >> SNMP_SESS_AUTHORITATIVE) || >> (!sess)) ? 0 : 1))) >> == NULL) { >> DEBUGMSGTL(("usm", "Unknown User(%s)\n", secName)); >> snmp_increment_statistic(STAT_USMSTATSUNKNOWNUSERNAMES); >> return SNMPERR_USM_GENERICERROR; >> } >> >> Thanks & Regards, >> Madhu > > > > > > ---------------------------------------------------------------------- > -------- Check out the vibrant tech community on one of the world's > most engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Net-snmp-coders mailing list > Net-snmp-coders@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
