..@gmail.com]
> Sent: Wednesday, May 10, 2017 5:37 PM
> To: Ulrich Windl
> Cc: net-snmp-coders@lists.sourceforge.net
> Subject: Re: Username existence disclosure from Agent
>
> On 5/8/17, Ulrich Windl wrote:
>>>>> Madhusudhana R schrieb am 05.05.2017 um
>>
nesday, May 10, 2017 5:37 PM
To: Ulrich Windl
Cc: net-snmp-coders@lists.sourceforge.net
Subject: Re: Username existence disclosure from Agent
On 5/8/17, Ulrich Windl wrote:
>>>> Madhusudhana R schrieb am 05.05.2017 um
>>>> 11:16 in
> Nachricht
> :
>&g
On 5/8/17, Ulrich Windl wrote:
Madhusudhana R schrieb am 05.05.2017 um
11:16 in
> Nachricht
> :
>> Hi Coders,
>>
>> Regarding a security related finding...
>>
>> When incorrect username is provided from manager (ManageEngine tool), the
>>
>> manager throws "Discovery failed for username
SNMP v3 UserName is send in clear text in each SNMPv3 PDU, also for Auth
and AuthPriv.
You could obtain it by sniffing packages, without any SNMP query (you could
check it using WireShark or something similar).
Your change is pointless.
2017-05-08 8:04 GMT+02:00 Ulrich Windl :
> >>> Madhusudhan
>>> Madhusudhana R schrieb am 05.05.2017 um 11:16 in
Nachricht
:
> Hi Coders,
>
> Regarding a security related finding...
>
> When incorrect username is provided from manager (ManageEngine tool), the
> manager throws "Discovery failed for username" which could be used by an
> attacker to know
Hi Coders,
Regarding a security related finding...
When incorrect username is provided from manager (ManageEngine tool), the
manager throws "Discovery failed for username" which could be used by an
attacker to know whether user exists or not.
I did a workaround and came up with fix.
Please le
