Strbleed is a critical flaw in the implementation of Simple Network Management Protocol (SNMP). It leads to access-control bypass, possibly involving an ISP customization in some cases. The authentication bypass vulnerability affects several IoT devices, which can be exploited by attackers by sending random values in specific requests. The vulnerability is tracked as CVE 2017-5135.
SNMP protocol has gone through different versions till now. There are three ways for client authentication and authentication on remote SNMP devices supported by SNMP protocol named as SNMPv1, SNMPv2, and SNMPv3. Two of these methods (SNMPv1, SNMPv2) are affected by this authentication bypass vulnerability, which relies on a very simplistic authentication procedure that implies sending a human-readable string datatype value (usually public or private) inside an SNMP request from an SNMP client (app) to a device’s SNMP daemon. The device reads this string inside the SNMP request, called a “community string,” and replies to the SNMP client request, either with data or by executing an action. SNMP version 3 give the option to use a user, password and authentication methods. The StringBleed issue resides in the way SNMP agent running on differed IoT devices handles a human-readable string datatype value called “community string”, which is used by that SNMP version 1 and 2.
The Impact of StringBleed:
The Strbleed vulnerability allows remote attackers to bypass authentication and could also allow attackers to execute code remotely on the vulnerable SNMP device and get full read/write permission using any string/integer value. It may result in overwriting MIB(Management Information Base) files. And it allows attackers to retrieve the password and other sensitive information from the vulnerable device without the need to guess the community string.
An example of the exploit is given below: (https://www.reddit.com/r/netsec/comments/67qt6u/cve_20175135_snmp_authentication_bypass)
The following devices in shodan are affected by this vulnerability:
Here the string “sa90saioaKLJSA” is being successfully authenticated in the SNMP agent, and that will happen with any other string integer value.
Around 78 vulnerable cable modem/router models were found affected by this flaw. The table here lists the affected modem models.