Vulnerability Description
SNMPv3 not hashed
The device supports both SNMPv2c (community string authentication) and SNMPv3 (user/password authentication). The device's SNMP server, snmpd, can protect SNMPv3 passwords by storing keys irreversibly derived from the password rather than the password itself. From snmpd's manual (createUser section):
This directive should be placed into the /var/net-snmp/snmpd.conf file instead of the other normal locations. The reason is that the information is read from the file and then the line is removed (eliminating the storage of the master password for that user) and replaced with the key that is derived from it. This key is a localized key, so that if it is stolen it can not be used to access other agents. If the password is stolen, however, it can be.
As that passage describes, snmpd will automatically replace plaintext passwords with the corresponding keys if those passwords are saved to the config file it manages itself (traditionally /var/net-snmp/snmpd.conf but /home/swuser/snmp/snmpd.conf on this device). However, if the passwords are instead written to the administrator-managed config file (traditionally /etc/snmp/snmpd.conf but /bsdata/snmpd.conf on this device), snmpd's policy forbids it from rewriting them and so they remain in the file as plaintext.
Airspan's web UI writes SNMPv3 passwords to the latter location, meaning they are not rewritten by snmpd and remain in plaintext. The web UI should be altered to either write the passwords to the recommended location or to derive the keys itself and store only those in snmpd.conf.
All SNMP strings show in plaintext
Additionally, regardless of which SNMP version is selected, the web UI displays the current credentials. Although anyone with access to the web UI can change the credentials anyway, forcing them to do so in order to gain SNMP access makes detection of compromise easier and prevents the attacker from pivoting to other devices that reuse the same credentials.
Fix
Airspan released version 15.18.00.2511 in early June which we verified fixes this issue.
Timeline
Reported: March 17, 2022
Fix: June 2, 2022
Published: July 20, 2022
vladionescu Analyst
tchebb Analyst
Vulnerability Description
SNMPv3 not hashed
The device supports both SNMPv2c (community string authentication) and SNMPv3 (user/password authentication). The device's SNMP server, snmpd, can protect SNMPv3 passwords by storing keys irreversibly derived from the password rather than the password itself. From snmpd's manual (
createUsersection):As that passage describes, snmpd will automatically replace plaintext passwords with the corresponding keys if those passwords are saved to the config file it manages itself (traditionally
/var/net-snmp/snmpd.confbut/home/swuser/snmp/snmpd.confon this device). However, if the passwords are instead written to the administrator-managed config file (traditionally/etc/snmp/snmpd.confbut/bsdata/snmpd.confon this device), snmpd's policy forbids it from rewriting them and so they remain in the file as plaintext.Airspan's web UI writes SNMPv3 passwords to the latter location, meaning they are not rewritten by snmpd and remain in plaintext. The web UI should be altered to either write the passwords to the recommended location or to derive the keys itself and store only those in
snmpd.conf.All SNMP strings show in plaintext
Additionally, regardless of which SNMP version is selected, the web UI displays the current credentials. Although anyone with access to the web UI can change the credentials anyway, forcing them to do so in order to gain SNMP access makes detection of compromise easier and prevents the attacker from pivoting to other devices that reuse the same credentials.
Fix
Airspan released version 15.18.00.2511 in early June which we verified fixes this issue.
Timeline
Reported: March 17, 2022
Fix: June 2, 2022
Published: July 20, 2022