The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of NetSNMP

computer vulnerability alert CVE-2015-5621

Net-SNMP: memory leak via snmp_pdu_parse

Synthesis of the vulnerability

An attacker can create a memory leak in snmp_pdu_parse() of Net-SNMP, in order to trigger a denial of service.
Impacted products: Arkoon FAST360, XenServer, Debian, BIG-IP Hardware, TMOS, Net-SNMP, openSUSE, Solaris, RHEL, Ubuntu.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: intranet client.
Creation date: 13/04/2015.
Identifiers: bulletinoct2016, CERTFR-2016-AVI-133, CTX209443, CVE-2015-5621, DSA-4154-1, MDVSA-2015:229, openSUSE-SU-2015:1502-1, RHSA-2015:1636-01, SOL17378, STORM-2015-09-EN, STORM-2015-10-EN, STORM-2015-11-EN.2, STORM-2015-12-EN, USN-2711-1, VIGILANCE-VUL-16576.

Description of the vulnerability

The Net-SNMP product uses the snmp_pdu_parse() function to analyze data of SNMP packets.

However, after an error, the memory allocated to process an option in snmp_parse_var_op() is never freed.

An attacker can therefore create a memory leak in snmp_pdu_parse() of Net-SNMP, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2014-3565

Net-SNMP: denial of service via snmptrapd

Synthesis of the vulnerability

An attacker can send a malicious SNMP TRAP packet to snmptrapd of Net-SNMP with "-OQ", in order to trigger a denial of service.
Impacted products: BIG-IP Hardware, TMOS, Fedora, Net-SNMP, openSUSE, Solaris, RHEL, Ubuntu.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 01/09/2014.
Identifiers: CVE-2014-3565, FEDORA-2014-10095, FEDORA-2014-10099, MDVSA-2014:184, MDVSA-2015:092, openSUSE-SU-2014:1108-1, RHSA-2015:1385-01, RHSA-2015:2345-01, SOL17315, USN-2711-1, VIGILANCE-VUL-15248.

Description of the vulnerability

The Net-SNMP snmptrapd daemon supports the "-OQ" option, which indicates to not display the type (Timeticks, Integer, etc.).

However, in this case, display functions interpret data from packet (for example NULL) with the type of the MIB (for example Integer), which stops the daemon.

An attacker can therefore send a malicious SNMP TRAP packet to snmptrapd of Net-SNMP with "-OQ", in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2014-2310

Net-SNMP: denial of service via AgentX

Synthesis of the vulnerability

An attacker can send a special SNMP GET query to Net-SNMP, in order to trigger a denial of service in AgentX.
Impacted products: Net-SNMP, Solaris, Ubuntu.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 06/03/2014.
Identifiers: 684388, BID-66005, CVE-2014-2310, USN-2166-1, VIGILANCE-VUL-14371.

Description of the vulnerability

The RFC 2741 defines the AgentX protocol which is used to add SNMP agents.

However, if a GET query is for several OID with different sizes, the AgentX process detects an error and stop.

An attacker can therefore send a special SNMP GET query to Net-SNMP, in order to trigger a denial of service in AgentX.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2014-2285

Net-SNMP: denial of service via trap

Synthesis of the vulnerability

An attacker can dereference a NULL pointer in snmptrapd of Net-SNMP, in order to trigger a denial of service.
Impacted products: Net-SNMP, openSUSE, Solaris, RHEL, Ubuntu.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: intranet client.
Creation date: 05/03/2014.
Identifiers: 1072044, BID-65968, CVE-2014-2285, MDVSA-2014:052, MDVSA-2015:092, openSUSE-SU-2014:0398-1, openSUSE-SU-2014:0399-1, RHSA-2014:0322-01, USN-2166-1, VIGILANCE-VUL-14363.

Description of the vulnerability

The Net-SNMP product provides the snmptrapd daemon to manage SNMP TRAP messages.

The "Community String" is a string used for SNMP authentication. However, if the Community String is empty, the perl_trapd_handler() function does not check if a pointer is NULL, before using it.

An attacker can therefore dereference a NULL pointer in snmptrapd of Net-SNMP, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2014-2284

Net-SNMP: denial of service via ICMP-MIB

Synthesis of the vulnerability

An attacker can send an ICMP packet with a large type, to a system monitored by the ICMP-MIB of Net-SNMP, in order to trigger a denial of service.
Impacted products: Fedora, Net-SNMP, openSUSE, RHEL, Ubuntu.
Severity: 3/4.
Consequences: denial of service on service, denial of service on client.
Provenance: internet client.
Creation date: 26/02/2014.
Identifiers: BID-65867, CVE-2014-2284, FEDORA-2014-3423, FEDORA-2014-3427, MDVSA-2015:092, openSUSE-SU-2014:0398-1, openSUSE-SU-2014:0399-1, RHSA-2014:0321-01, USN-2166-1, VIGILANCE-VUL-14310.

Description of the vulnerability

When Net-SNMP is installed on Linux, it uses the ICMP-MIB provided by the system, which indicates information related to the ICMP protocol.

The icmpMsgStatsTable table contains statistics about each ICMP message type. However, Net-SNMP manages only 11 (IPv4) or 14 (IPv6) types, whereas Linux provides information for 256 types.

An attacker can therefore send an ICMP packet with a large type, to a system monitored by the ICMP-MIB of Net-SNMP, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2012-6151

Net-SNMP: denial of service via AgentX

Synthesis of the vulnerability

An attacker can overload the AgentX daemon of Net-SNMP, to generate a timeout, in order to trigger a denial of service.
Impacted products: BIG-IP Hardware, TMOS, Fedora, Net-SNMP, Solaris, RHEL, Ubuntu.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 05/12/2013.
Identifiers: 2411, CVE-2012-6151, FEDORA-2013-22809, FEDORA-2013-22919, FEDORA-2013-22949, MDVSA-2014:017, MDVSA-2014:018, RHSA-2014:0322-01, SOL16476, USN-2166-1, VIGILANCE-VUL-13878.

Description of the vulnerability

The RFC 2741 defines the protocol AgentX which is used to add SNMP agents.

However, when a timeout occurs, the AgentX of Net-SNMP can access to data which are no longer in memory.

An attacker can therefore overload the AgentX daemon of Net-SNMP, to generate a timeout, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2012-2141

Net-SNMP: denial of service via extend

Synthesis of the vulnerability

When Net-SNMP is configured with extends, an attacker can use an invalid OID, in order to stop the service.
Impacted products: BIG-IP Hardware, TMOS, Fedora, Mandriva Linux, Net-SNMP, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 26/04/2012.
Identifiers: 815813, BID-53255, BID-53258, CERTFR-2014-AVI-502, CVE-2012-2141, FEDORA-2012-16659, FEDORA-2012-16662, MDVSA-2012:099, MDVSA-2013:049, openSUSE-SU-2012:0659-1, RHSA-2012:0876-04, RHSA-2013:0124-01, SOL15883, SUSE-SU-2012:0887-1, SUSE-SU-2012:0888-1, VIGILANCE-VUL-11570.

Description of the vulnerability

The "extend" feature of Net-SNMP is used to associate a program to an OID (Object IDentifier) tree. When a clients queries this tree, Net-SNMP executes the program, and returns the value associated to the requested index:
 - .1 : the first line displayed by the program
 - .2 : the second line displayed by the program
 - etc.

However, if an attacker requests the index zero (or a too large index), the handle_nsExtendOutput2Table() function of Net-SNMP reads at an invalid memory address and stops.

When Net-SNMP is configured with extends, an attacker can therefore use an invalid OID, in order to stop the service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 9664

Net-SNMP: memory leaks

Synthesis of the vulnerability

An attacker can use several memory leaks of Net-SNMP, in order to generate a denial of service.
Impacted products: Net-SNMP.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 10.
Creation date: 24/05/2010.
Identifiers: 2260828, 2779541, 2797251, 2822337, 2822355, 2822360, 2871747, 2883155, VIGILANCE-VUL-9664.

Description of the vulnerability

Several memory leaks were announced in Net-SNMP.

The snmplib library is impacted by several memory leaks. [severity:2/4; 2797251]

A memory leak occurs in the OID (Object ID) handling of snmplib. [severity:2/4; 2871747]

A memory leak occurs in snmpd, when the OID table is constructed. [severity:2/4; 2822360]

A memory leak occurs in snmpd, when ipAddressPrefixTable is managed. [severity:2/4; 2822337]

A memory leak occurs in snmpd, when handling a proxy. [severity:2/4; 2883155]

A memory leak occurs in snmpd, when several interfaces have the same IPv6 address. [severity:2/4]

A memory leak occurs in the Python interface of snmpwalk. [severity:2/4; 2260828]

On Linux, a memory leak occurs in udpEndpointTable. [severity:2/4; 2822355]

On Windows, a handle leak occurs in pass_persist. [severity:2/4; 2779541]

On Windows, a memory leak occurs in winExtDLL/SnmpExtensionQuery. [severity:2/4]

An attacker can therefore use several memory leaks of Net-SNMP, in order to generate a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2008-6123

Net-SNMP: bypassing tcpwrappers

Synthesis of the vulnerability

When access restrictions to Net-SNMP are managed by tcpwrappers, rules are incorrectly defined.
Impacted products: Fedora, Mandriva Linux, Net-SNMP, NLD, OES, openSUSE, RHEL, SLES.
Severity: 2/4.
Consequences: data reading, data flow.
Provenance: intranet client.
Creation date: 12/02/2009.
Identifiers: 250429, 485211, BID-33755, CVE-2008-6123, FEDORA-2009-1769, MDVSA-2009:056, RHSA-2009:0295-01, SUSE-SR:2009:011, SUSE-SR:2009:012, SUSE-SR:2010:003, VIGILANCE-VUL-8469.

Description of the vulnerability

The tcpwrappers environment uses /etc/hosts.allow and /etc/hosts.deny files to define IP addresses of computers allowed to connect to a service. The service then uses functions of the libwrap library, such as hosts_ctl() which checks if a session is allowed.

The netsnmp_udp_fmtaddr() function of net-snmp/snmplib/snmpUDPDomain.c generates a string which represents the current connection. This function is used for logging, and also in host_ctl().

However, netsnmp_udp_fmtaddr() reverses source and destination IP addresses. The rule used for host_ctl() is thus also reversed. For example, if an IP address is blocked, it is in fact blocked as a destination address, which does not forbid the connection from this IP address.

When access restrictions to Net-SNMP are managed by tcpwrappers, rules are therefore incorrectly defined.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2008-2292

Net-SNMP: buffer overflow via snmp_get

Synthesis of the vulnerability

A malicious SNMP agent can execute code in the Net-SNMP Perl module.
Impacted products: Debian, Fedora, Mandriva Linux, Mandriva NF, Net-SNMP, OpenSolaris, Solaris, RHEL, Slackware, ESX, ESXi.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet server.
Creation date: 14/05/2008.
Revision date: 13/11/2008.
Identifiers: 239785, 6707092, BID-29212, CVE-2008-2292, DSA-1663-1, FEDORA-2008-5215, FEDORA-2008-5218, FEDORA-2008-5224, MDVSA-2008:118, RHSA-2008:0529-01, SSA:2008-210-07, VIGILANCE-VUL-7828, VMSA-2008-0013.1, VMSA-2008-0013.2, VMSA-2008-0013.3.

Description of the vulnerability

The perl/SNMP sub-directory of Net-SNMP contains a module used by Perl programs to interface with the Net-SNMP library.

However, this module copies SNMP GET replies in a 2048 or 4096 bytes array, without checking their sizes.

A malicious SNMP agent can therefore return longer data in order to create an overflow leading to code execution of the computer where Net-SNMP is installed.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about NetSNMP: