The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Net-SNMP: memory leak via snmp_pdu_parse

Synthesis of the vulnerability 

An attacker can create a memory leak in snmp_pdu_parse() of Net-SNMP, in order to trigger a denial of service.
Impacted software: Arkoon FAST360, XenServer, Debian, BIG-IP Hardware, TMOS, Juniper SBR, Net-SNMP, openSUSE, Solaris, RHEL, SIMATIC, Ubuntu.
Severity of this computer vulnerability: 2/4.
Creation date: 13/04/2015.
Références of this announce: bulletinoct2016, CERTFR-2016-AVI-133, CTX209443, CVE-2015-5621, DSA-4154-1, JSA10991, MDVSA-2015:229, openSUSE-SU-2015:1502-1, RHSA-2015:1636-01, SOL17378, SSA-978220, STORM-2015-09-EN, STORM-2015-10-EN, STORM-2015-11-EN.2, STORM-2015-12-EN, USN-2711-1, VIGILANCE-VUL-16576.

Description of the vulnerability 

The Net-SNMP product uses the snmp_pdu_parse() function to analyze data of SNMP packets.

However, after an error, the memory allocated to process an option in snmp_parse_var_op() is never freed.

An attacker can therefore create a memory leak in snmp_pdu_parse() of Net-SNMP, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat impacts software or systems such as Arkoon FAST360, XenServer, Debian, BIG-IP Hardware, TMOS, Juniper SBR, Net-SNMP, openSUSE, Solaris, RHEL, SIMATIC, Ubuntu.

Our Vigil@nce team determined that the severity of this computer vulnerability alert is medium.

The trust level is of type confirmed by the editor, with an origin of intranet client.

An attacker with a expert ability can exploit this cybersecurity weakness.

Solutions for this threat 

Net-SNMP: patch for snmp_pdu_parse.
A patch is available in information sources.

Arkoon Fast360: version 5.0/35.
The version 5.0/35 is fixed.

Arkoon Fast360: version 6.0/9.
The version 6.0/9 is fixed.

Citrix XenServer: patch.
A patch is available:
  Citrix XenServer 6.5 SP1: CTX209498 https://support.citrix.com/article/CTX209498
  Citrix XenServer 6.2 SP1: CTX209497 https://support.citrix.com/article/CTX209497
  Citrix XenServer 6.1: CTX209496 https://support.citrix.com/article/CTX209496
  Citrix XenServer 6.0.2: CTX209494 https://support.citrix.com/article/CTX209494
  Citrix XenServer 6.0.2 Common Criteria: CTX209495 https://support.citrix.com/article/CTX209495
  Citrix XenServer 6.0: CTX209493 https://support.citrix.com/article/CTX209493

Debian 8: new net-snmp packages (28/03/2018).
New packages are available:
  Debian 8: net-snmp 5.7.2.1+dfsg-1+deb8u1

F5 BIG-IP: fixed versions for Net-SNMP.
Fixed versions are indicated in information sources.

Juniper SBR Carrier: versions 8.4.1R19 and 8.5.0R1.
Versions 8.4.1R19 and 8.5.0R1 are fixed:
  https://support.juniper.net/support/

Mandriva: new net-snmp packages.
New packages are available:
  Mandriva BS1: net-snmp 5.7.2-1.3.mbs1
  Mandriva BS2: net-snmp 5.7.2-14.2.mbs2

openSUSE: new net-snmp packages.
New packages are available:
  openSUSE 13.1: net-snmp 5.7.2-9.11.1
  openSUSE 13.2: net-snmp 5.7.3-3.1

RHEL: new net-snmp packages.
New packages are available:
  RHEL 6: net-snmp 5.5-54.el6_7.1

Siemens SIMATIC: solution for Net-SNMP.
The solution is indicated in information sources.

Solaris: patch for third party software of October 2016 v2.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Ubuntu: new libsnmp packages.
New packages are available:
  Ubuntu 15.04: libsnmp30 5.7.2~dfsg-8.1ubuntu5.1
  Ubuntu 14.04 LTS: libsnmp30 5.7.2~dfsg-8.1ubuntu3.1
  Ubuntu 12.04 LTS: libsnmp15 5.4.3~dfsg-2.4ubuntu1.3
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides computer vulnerability announces. The Vigil@nce vulnerability database contains several thousand vulnerabilities.