Skip to content

fix: Verify authentication independent of packet msg flags #496

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 15, 2025
Merged

fix: Verify authentication independent of packet msg flags #496

merged 4 commits into from
Apr 15, 2025

Conversation

srebhan
Copy link
Contributor

@srebhan srebhan commented Mar 18, 2025
edited
Loading

In the current state, a TrapListener configured with authentication (e.g. AuthNoPriv) will accept all incoming packets sent without authentication enabled e.g. via

snmptrap -v 3 -l noAuthNoPriv -u my_user localhost:12399 1 coldStart.0

This is due to the fact that the isAuthentic function will only iterate over the authentication parameters sent by the client, which is empty for NoAuthNoPriv, and therefore completely ignores the authentication settings for the TrapListener and potentially for other uses of the USM implementation. Furthermore, the username is not validated in case we do not use a TrapSecurityParametersTable.

The current behavior therefore is a security issue as a client can simply bypass security of the server by sending unauthenticated messages!

This PR ensures that we always respect the server security settings by fully matching the message signature against the expected digest. The PR here uses cryptographically safe functions with constant time to avoid side-channel attacks.
Additionally, the username is always validated.

Last but not least, exclude discovery messages from authentication handling as they MUST be unauthenticated. Handle this special case.

@srebhan srebhan mentioned this pull request Mar 18, 2025
Closed
@srebhan srebhan force-pushed the fix_authentication branch 5 times, most recently from abc392d to 3f3d29e Compare March 19, 2025 10:30
srebhan added 3 commits March 19, 2025 11:33
@srebhan
fix: Verify authentication independent of packet msg flags
0b1003d 
Signed-off-by: Sven Rebhan <srebhan@influxdata.com>
@srebhan
Disable trap-test TestSendV3EngineIdDiscovery for now.
0eb13da 
Signed-off-by: Sven Rebhan <srebhan@influxdata.com>
@srebhan
Validate username for authentication
5e991d8 
Signed-off-by: Sven Rebhan <srebhan@influxdata.com>
@srebhan srebhan force-pushed the fix_authentication branch from 3f3d29e to 5e991d8 Compare March 19, 2025 10:34
@srebhan
Copy link
Contributor Author

srebhan commented Mar 24, 2025

@SuperQ is there a chance to get a review on this security related PR?

@srebhan
Copy link
Contributor Author

srebhan commented Apr 15, 2025

Fixed the remaining test so this should be good to review... Anyone?

@srebhan
Fix discovery message handling
af8fad0 
Signed-off-by: Sven Rebhan <srebhan@influxdata.com>
@srebhan srebhan force-pushed the fix_authentication branch from 1a6b107 to af8fad0 Compare April 15, 2025 16:48
@soniah soniah merged commit fb8d45f into gosnmp:master Apr 15, 2025
12 of 13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@soniah soniah soniah approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@srebhan @soniah