The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Net-SNMP: denial of service via AgentX

Synthesis of the vulnerability 

An attacker can send a special SNMP GET query to Net-SNMP, in order to trigger a denial of service in AgentX.
Vulnerable software: Juniper SBR, Net-SNMP, Solaris, Ubuntu.
Severity of this announce: 2/4.
Creation date: 06/03/2014.
Références of this computer vulnerability: 684388, BID-66005, CVE-2014-2310, JSA10991, USN-2166-1, VIGILANCE-VUL-14371.

Description of the vulnerability 

The RFC 2741 defines the AgentX protocol which is used to add SNMP agents.

However, if a GET query is for several OID with different sizes, the AgentX process detects an error and stop.

An attacker can therefore send a special SNMP GET query to Net-SNMP, in order to trigger a denial of service in AgentX.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat bulletin impacts software or systems such as Juniper SBR, Net-SNMP, Solaris, Ubuntu.

Our Vigil@nce team determined that the severity of this security threat is medium.

The trust level is of type confirmed by the editor, with an origin of intranet client.

An attacker with a expert ability can exploit this computer vulnerability alert.

Solutions for this threat 

Net-SNMP: version 5.4.4.
The version 5.4.4 is fixed:
  http://www.net-snmp.org/

Net-SNMP: patch for AgentX.
A patch is available in information sources.

Juniper SBR Carrier: versions 8.4.1R19 and 8.5.0R1.
Versions 8.4.1R19 and 8.5.0R1 are fixed:
  https://support.juniper.net/support/

Solaris 11: version 11.2.2.5.0.
The version 11.2.2.5.0 is fixed:
  https://support.oracle.com/rs?type=doc&id=1925904.1

Ubuntu: new libsnmp packages.
New packages are available:
  Ubuntu 13.10: libsnmp30 5.7.2~dfsg-8ubuntu1.1
  Ubuntu 12.10: libsnmp15 5.4.3~dfsg-2.5ubuntu1.1
  Ubuntu 12.04 LTS: libsnmp15 5.4.3~dfsg-2.4ubuntu1.2
  Ubuntu 10.04 LTS: libsnmp15 5.4.2.1~dfsg0ubuntu1-0ubuntu2.3
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides an application vulnerability database. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.