Insecure SNMP version used
Description
The code uses SNMPv1 or SNMPv2, which are insecure and do not offer encryption. It is recommended to use SNMPv3 instead, which provides secure authentication and encryption.
Examples
Insecure Code
python
pysnmp.hlapi.CommunityData(..., mpModel=0,...)
pysnmp.hlapi.CommunityData(..., mpModel=1,...)Secure Code
python
from pysnmp.hlapi import *
iterator = getCmd(
SnmpEngine(),
UsmUserData('usr-sha-aes', 'authkey1', 'privkey1',
authProtocol=USM_AUTH_HMAC96_SHA,
privProtocol=USM_PRIV_CFB128_AES),
UdpTransportTarget(('demo.snmplabs.com', 161)),
ContextData(),
ObjectType(ObjectIdentity('SNMPv2-MIB','sysDescr', 0))
)Remediation
Use SNMPv3 with secure authentication and encryption, such as SHA-AES.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0160 |
| Category | InsecureConfig |
| Severity | MEDIUM |
| CWE | CWE-319 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | SNMP, insecure protocol |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |