Taking Exception to the StringBleed Vulnerability

Posted by Lisa Patel /

Security researchers claim to have discovered an SNMP flaw that affects several models of Internet-connected devices. Presumably hackers could send random values in specific requests to the SNMP agent in various devices and the authentication mechanism would be bypassed.

Technical details are here:
https://nvd.nist.gov/vuln/detail/CVE-2017-5135

The higher level overview is here:
http://securityaffairs.co/wordpress/58485/hacking/stringbleed-snmp-authentication-bypass.html

“In few words, we discovered the following: you can use any value string or integer in order to authenticate the SNMP agent successfully in some specific devices, but the worse thing here is: you have full read/write remote permissions using any string/integer value.” said the researchers.

At last count, 78 devices were affected.

A Reddit discussion is here:
https://www.reddit.com/r/netsec/comments/67qt6u/cve_20175135_snmp_authentication_bypass/

The Security Affairs article suggests some devices allow open access, regardless of the community string that is used.

This suggests no password/community validation is implemented in the device at all. However, every SNMP-capable device on the Internet is built on some kind of SNMP stack, be it commercial or open source. It is unimaginable that such a stack would exist, therefore it seems more likely that this is a configuration issue. Some SNMP enabled devices may be shipped in a state where community authentication is off. This is worse than shipping them with a default community string “public” (many devices did ship with the “public” community string in the past).

A post by “bloodjx” on Reddit provides some illumination:

[–]bloodjx 1 point 2 hours ago
Interesting find, I looked at SNMP in DOCSIS 2.0 spec and sure enough, “SNMP Mode for DOCSIS 2.0-compliant CMs – SNMPv1/v2c packets are accepted which contain any community string.”

The actual document substantiating “bloodjx” finding is here:
http://www.scte.org/SCTEDocs/Standards/SCTE%2079-2%202016.pdf

Note page 20 and 21:

5.2 SNMP Mode for DOCSIS 2.0-compliant CMs
DOCSIS 2.0-compliant CMs (in 2.0, 1.1, and 1.0 modes) MUST support SNMPv1, SNMPv2c, and SNMPv3 as well as SNMP-coexistence ([RFC 2576]) subject to the following requirements:

a) Before completion of registration, the CM MUST operate as follows (in some CCCM implementations, SNMP access MAY be made inaccessible from the CPE for security reasons; in such implementation, the access to similar set of MIB objects SHOULD be provided by a diagnostic utility as described in Section 9.3):

– SNMPv1/v2c packets are accepted which contain any community string.

———————————————————————————————————

– All SNMPv3 packets are dropped.

In other words, a cable modem device is required to be configured to accept SNMP packets with an arbitrary community string before completion of registration.

Conclusion:

StringBleed is not a newly discovered flaw in the protocol or an SNMP implementation error by the manufacturers. Instead StringBleed is most likely a misconfiguration, a side-effect of the DOCSIS 2.0 (Data Over Cable Service Interface Specification) registration requirement.

CableLabs in North America and Excentis in Europe must advise their clients on how to best proceed given this new information.

Previous Post Next Post