Hi Coders,

With Netsnmp v5.8  upgraded to my project (which was already working with 
v5.7.3), I am finding one problem which is as described below.

An user is created in agent (which is netsnmp v5.8)

Username: 'user1'
Hash algo: 'SHA224'
Password: 'password123'
Priv algo: 'AES192'
Password: 'passwordABC'

When I polled from manager(iReasoning MIB Browser) for SNMP get request with 
below credentials for user

Username: 'user1'
Hash algo: 'SHA224'
Password: 'password123'
Priv algo: 'AES192'
Password: ' ' (a whitespace)
The get request was successful though the privacy protocol password is a white 
space which means agent responded with a valid get response.

Observation on Wireshark: There was a  get response packet in un-encrypted 
format(plain text).
Observation on Manager(iReasoning MIB browser): The get response was successful.

This looks like a security flaw since a user is configured with authPriv 
protocol and with wrong privacy password, the response comes as a plain text.

Please correct me if my observation is wrong anyway. If not, can anyone please 
comment on this?

Thanks in advance.

Regards,
Madhu

_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Reply via email to