>>> Madhusudhana R <[email protected]> schrieb am 05.05.2017 um 11:16 in
Nachricht
<db4pr06mb41239e1a802b6a266ffcb8ab0...@db4pr06mb412.eurprd06.prod.outlook.com>:
> Hi Coders,
>
> Regarding a security related finding...
>
> When incorrect username is provided from manager (ManageEngine tool), the
> manager throws "Discovery failed for username" which could be used by an
> attacker to know whether user exists or not.
>
> I did a workaround and came up with fix.
>
> Please let me know if this fix is appropriate or not.
>
> In file snmpusm.c, in function usm_process_in_msg() and below code snippet,
> I changed the return value from SNMPERR_USM_UNKNOWNSECURITYNAME to
> SNMPERR_USM_GENERICERROR
> with which the error in Manager changed to "Timesync failure" for incorrect
> username.
IMHO. The gain of guessing a user name is not a significant problem as the
password is what really protects the account. In any case an error like
"Timesync failure" for a bad user name is cleasrly to be rejected.
Ulrich
>
> /*
> * Locate the User record.
> * If the user/engine ID is unknown, report this as an error.
> */
> if ((user = usm_get_user_from_list(secEngineID, *secEngineIDLen,
> secName, userList,
> (((sess && sess->isAuthoritative ==
> SNMP_SESS_AUTHORITATIVE) ||
> (!sess)) ? 0 : 1)))
> == NULL) {
> DEBUGMSGTL(("usm", "Unknown User(%s)\n", secName));
> snmp_increment_statistic(STAT_USMSTATSUNKNOWNUSERNAMES);
> return SNMPERR_USM_GENERICERROR;
> }
>
> Thanks & Regards,
> Madhu
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-coders mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
