MIMIC Simulator and MIMIC Virtual Lab are not affected by the CERT Vulnerability issue (VU#878044)

The US-CERT (United States Computer Emergency Readiness Team) has published an SNMPv3 Authentication vulnerability in their Vulnerability Note VU#878044.

The vulnerability is described as follows:

"SNMP can be configured to utilize version 3, which is the current standard version of SNMP. SNMPv3 incorporates security features such as authentication and privacy control among other features. Authentication for SNMPv3 is done using keyed-Hash Message Authentication Code (HMAC), a message authentication code calculated using a cryptographic hash function in combination with a secret key. Implementations of SNMPv3 may allow a shortened HMAC code in the authenticator field to authenticate to an agent or a trap daemon using a minimum HMAC of 1 byte."

More details can be found at the US-CERT site.

All SNMP simulation products from Gambit Communications, namely MIMIC Simulator and MIMIC Virtual Lab, DO NOT have the above mentioned authentication vulnerability, because the products check for the correct length of the HMAC code. A request with a shortened HMAC code in the authenticator field is dropped, a REPORT PDU is returned, and an appropriate error is added to the log. This vulnerability issue (VU#878044) is not present in any of our SNMP simulation products. No specific action needs to be taken by the users of MIMIC products, with regard to this vulnerability issue.

Please feel free to contact Gambit Technical Support for any clarification.