On 5/10/17, Madhusudhana R <madhusudhan...@in.abb.com> wrote: > Hi Lee, > > Thanks for the response. > > If SNMPERR_USM_AUTHENTICATIONFAILURE is used the error turns out to be > "authProtocol or authPassword may be wrong" on ManageEngine tool. > > As I mentioned before, SNMPERR_USM_GENERICERROR we get "Timesync Failure". > So this error can get a thought that agent is not running. (apologies if my > thinking is so bad!!) > > Please suggest which return status is more appropriate? > Also with either of them, will it affect the system architecture in any > way?
What are you trying to accomplish here? Your original msg said >> Regarding a security related finding... Somebody did a security audit & you're stuck with addressing the finding? I've had the same type of thing & yes, according to the security people, allowing attackers to figure out valid userids is A Bad Thing. I see a couple of possible solutions: You've got the source code, so apply your change, deploy & you're done. It's not looking like the admins are in favor of the change you submitted, so maybe try something different? Like add a configuration option to disable specific USM error codes & add an #ifdef block in snmp_api.h to define whatever USM error codes to all be the same value. eg something like #ifdef noSpecificUSMErrorCodes #define SNMPERR_USM_UNKNOWNSECURITYNAME (-46) #define SNMPERR_USM_UNSUPPORTEDSECURITYLEVEL (-46) #define SNMPERR_USM_AUTHENTICATIONFAILURE (-46) #else #define SNMPERR_USM_UNKNOWNSECURITYNAME (-43) #define SNMPERR_USM_UNSUPPORTEDSECURITYLEVEL (-44) #define SNMPERR_USM_AUTHENTICATIONFAILURE (-46) #endif So the people that want specific error codes can have them & the people that want just a generic auth fail can have that. my personal favorite is to allow snmp only from trusted subnets/hosts - eg. iptables, firewalls, router acls, etc. Regards, Lee > > Thanks. > Madhu > > -----Original Message----- > From: Lee [mailto:ler...@gmail.com] > Sent: Wednesday, May 10, 2017 5:37 PM > To: Ulrich Windl <ulrich.wi...@rz.uni-regensburg.de> > Cc: net-snmp-coders@lists.sourceforge.net > Subject: Re: Username existence disclosure from Agent > > On 5/8/17, Ulrich Windl <ulrich.wi...@rz.uni-regensburg.de> wrote: >>>>> Madhusudhana R <madhusudhan...@in.abb.com> schrieb am 05.05.2017 um >>>>> 11:16 in >> Nachricht >> <db4pr06mb41239e1a802b6a266ffcb8ab0...@db4pr06mb412.eurprd06.prod.outlook.com>: >>> Hi Coders, >>> >>> Regarding a security related finding... >>> >>> When incorrect username is provided from manager (ManageEngine tool), >>> the >>> >>> manager throws "Discovery failed for username" which could be used by >>> an attacker to know whether user exists or not. >>> >>> I did a workaround and came up with fix. >>> >>> Please let me know if this fix is appropriate or not. >>> >>> In file snmpusm.c, in function usm_process_in_msg() and below code >>> snippet, I changed the return value from >>> SNMPERR_USM_UNKNOWNSECURITYNAME to SNMPERR_USM_GENERICERROR with >>> which the error in Manager changed to "Timesync failure" for >>> incorrect username. >> >> IMHO. The gain of guessing a user name is not a significant problem as >> the password is what really protects the account. In any case an error >> like "Timesync failure" for a bad user name is cleasrly to be rejected. > > Probably not a significant problem, but still, you're not supposed to allow > enumerating userids. eg. > https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Authentication_and_Error_Messages > Correct Response Example > "Login failed; Invalid userID or password" > The correct response does not indicate if the user ID or password is the > incorrect parameter and hence inferring a valid user ID. > > Would SNMPERR_USM_AUTHENTICATIONFAILURE be the appropriate status to return > for an invalid userid or password? > > Regards, > Lee > > >> >> Ulrich >> >> >>> >>> /* >>> * Locate the User record. >>> * If the user/engine ID is unknown, report this as an error. >>> */ >>> if ((user = usm_get_user_from_list(secEngineID, *secEngineIDLen, >>> secName, userList, >>> (((sess && >>> sess->isAuthoritative == >>> SNMP_SESS_AUTHORITATIVE) || >>> (!sess)) ? 0 : 1))) >>> == NULL) { >>> DEBUGMSGTL(("usm", "Unknown User(%s)\n", secName)); >>> snmp_increment_statistic(STAT_USMSTATSUNKNOWNUSERNAMES); >>> return SNMPERR_USM_GENERICERROR; >>> } >>> >>> Thanks & Regards, >>> Madhu >> >> >> >> >> >> ---------------------------------------------------------------------- >> -------- Check out the vibrant tech community on one of the world's >> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Net-snmp-coders mailing list >> Net-snmp-coders@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders >> > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most engaging > tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Net-snmp-coders mailing list > Net-snmp-coders@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
