Wednesday, November 23, 2016

How to save in the configuration files of Huawi MA5600T Series

The device configuration file contains the SNMPv3 packet encryption key in plaintext, compromising the confidentiality of the management channel.
[Problem Description]
Trigger conditions:
This problem exists when the following conditions are met:
The device software version is within V800R006C02–V800R013C10 and no patch for resolving this problem is installed. (For mapping between the software versions and patch versions for resolving this problem, see the preventive measures.)
The device system has SNMPv3 users and the authentication-mode or privacy-mode parameters are configured for the SNMPv3 users.
Symptom:
An unauthorized user may be able to decrypt SNMPv3 packets exchanged between the network management system (NMS) and the device after obtaining the device configuration file. Based on the decrypted packets, the user can deduce the operations issued by the NMS and the NMS operation principles. In this case, the confidentiality of the management channel is compromised.
Identification method:
Check whether the software version of the device is within V008R006C02–V008R013C10.
If the software version is within V008R006C02–V008R013C10, go to step 2.
Check whether a patch for resolving this problem has been installed. For example, if the software version is V008R010, check whether patch SPH116 or later is installed. (For mapping between the software versions and patch versions for resolving this problem, see the preventive measures.)
If the patch for resolving this problem has not been installed, go to step 3.
Command for querying the device software and patch versions: display version


Run the following command to query the device configuration.
MA5600T/MA5683T(config)#display current-configuration section public-config  


If the command output contains snmp-agent usm-use-r v3 xxx authentication-mode xxx privacy-mode xxx, this problem may occur.
----End

[Root Cause]
When SNMPv3 is used for communication, information transmitted through SNMPv3 packets is encrypted. However, the encryption key is stored in the device configuration file in plaintext, which brings security risks.

[Impact and Risk]
If an unauthorized user obtains the key in the device configuration file and the SNMPv3 packets exchanged between the NMS and the device, the user can deduce the operations issued by the NMS and the responses of the device. In this case, the confidentiality of the management channel is compromised.

[Measures and Solutions]
Recovery measures:
Change the encryption keys in device configuration files.
Command for changing the encryption: snmp-agent usm-user v3 …


Workarounds:
Restrict the disclosure of device configuration files.
Change the encryption keys periodically.
Preventive measures:
Install a patch for resolving the problem. After patch installation, the encryption keys in device configuration files are saved in cipertext.
The following lists the mapping between the software versions and patch versions for resolving this problem:
V008R008: HP3032 and later
V008R010: SPH116 and later
V008R011: SPH110 and later
V008R012: SPC107 and later
V008R013C00: SPH105 and later
V008R013C10: SPC205 and later

[Precaution Expiration]
This precaution expires when one of the trigger conditions is not met.

[Attachment]
N/A

MORE BLOG:

When Prewarning on Service Unavailability of H806GPBH & H806GPBD Boards of MA5600T

No comments:

Post a Comment