The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Net-SNMP: denial of service via trap

Synthesis of the vulnerability 

An attacker can dereference a NULL pointer in snmptrapd of Net-SNMP, in order to trigger a denial of service.
Impacted systems: Net-SNMP, openSUSE, Solaris, RHEL, Ubuntu.
Severity of this alert: 2/4.
Creation date: 05/03/2014.
Références of this alert: 1072044, BID-65968, CVE-2014-2285, MDVSA-2014:052, MDVSA-2015:092, openSUSE-SU-2014:0398-1, openSUSE-SU-2014:0399-1, RHSA-2014:0322-01, USN-2166-1, VIGILANCE-VUL-14363.

Description of the vulnerability 

The Net-SNMP product provides the snmptrapd daemon to manage SNMP TRAP messages.

The "Community String" is a string used for SNMP authentication. However, if the Community String is empty, the perl_trapd_handler() function does not check if a pointer is NULL, before using it.

An attacker can therefore dereference a NULL pointer in snmptrapd of Net-SNMP, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability announce impacts software or systems such as Net-SNMP, openSUSE, Solaris, RHEL, Ubuntu.

Our Vigil@nce team determined that the severity of this cybersecurity threat is medium.

The trust level is of type confirmed by the editor, with an origin of intranet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer threat bulletin.

Solutions for this threat 

Net-SNMP: patch for trap.
A patch is available in information sources.

Mandriva BS2: new net-snmp packages.
New packages are available:
  Mandriva BS2: net-snmp 5.7.2-14.1.mbs2

Mandriva BS: new net-snmp packages.
New packages are available:
  Mandriva BS1: net-snmp 5.7.2-1.1.mbs1

openSUSE: new net-snmp packages.
New packages are available:
  openSUSE 11.4: net-snmp 5.6.1-4.35.1
  openSUSE 12.3: net-snmp 5.7.2-3.8.1
  openSUSE 13.1: net-snmp 5.7.2-9.4.1

RHEL 5: new net-snmp packages.
New packages are available:
  RHEL 5: net-snmp 5.3.2.2-22.el5_10.1

Solaris: version 11.2.5.5.0.
The version 11.2.5.5.0 is fixed:
  https://support.oracle.com/rs?type=doc&id=1914034.1

Ubuntu: new libsnmp packages.
New packages are available:
  Ubuntu 13.10: libsnmp30 5.7.2~dfsg-8ubuntu1.1
  Ubuntu 12.10: libsnmp15 5.4.3~dfsg-2.5ubuntu1.1
  Ubuntu 12.04 LTS: libsnmp15 5.4.3~dfsg-2.4ubuntu1.2
  Ubuntu 10.04 LTS: libsnmp15 5.4.2.1~dfsg0ubuntu1-0ubuntu2.3
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides network vulnerability analysis. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.