Debian Bug report logs -
#1016139
net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 CVE-2022-24806 CVE-2022-24805
Reported by: Moritz Mühlenhoff <jmm@inutil.org>
Date: Wed, 27 Jul 2022 20:57:04 UTC
Severity: grave
Tags: security
Fixed in version 5.9.3+dfsg-1
Done: Craig Small <csmall@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian SNMP Team <team+snmp@tracker.debian.org>
:
Bug#1016139
; Package src:net-snmp
.
(Wed, 27 Jul 2022 20:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian SNMP Team <team+snmp@tracker.debian.org>
.
(Wed, 27 Jul 2022 20:57:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: net-snmp
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for net-snmp.
5.9.3 fixes the following issues:
- These two CVEs can be exploited by a user with read-only credentials:
- CVE-2022-24805 A buffer overflow in the handling of the INDEX of
NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
- CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable
can cause a NULL pointer dereference.
- These CVEs can be exploited by a user with read-write credentials:
- CVE-2022-24806 Improper Input Validation when SETing malformed
OIDs in master agent and subagent simultaneously
- CVE-2022-24807 A malformed OID in a SET request to
SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an
out-of-bounds memory access.
- CVE-2022-24808 A malformed OID in a SET request to
NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
- CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable
can cause a NULL pointer dereference.
- To avoid these flaws, use strong SNMPv3 credentials and do not share them.
If you must use SNMPv1 or SNMPv2c, use a complex community string
and enhance the protection by restricting access to a given IP address range.
- Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for
reporting the following CVEs that have been fixed in this release, and
to Arista Networks for providing fixes.
Please adjust the affected versions in the BTS as needed.
Reply sent
to Craig Small <csmall@debian.org>
:
You have taken responsibility.
(Thu, 28 Jul 2022 11:09:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Thu, 28 Jul 2022 11:09:03 GMT) (full text, mbox, link).
Message #10 received at 1016139-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: net-snmp
Version: 5.9.3+dfsg-1
I had uploaded net-snmp 5.9.3 anyway but I'll add those CVEs to the
changelog.
I'm trying to find where they've made the changes to see if it is possible
to get at least bullseye fixed.
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian SNMP Team <team+snmp@tracker.debian.org>
:
Bug#1016139
; Package src:net-snmp
.
(Thu, 28 Jul 2022 11:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Craig Small <csmall@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian SNMP Team <team+snmp@tracker.debian.org>
.
(Thu, 28 Jul 2022 11:39:03 GMT) (full text, mbox, link).
Message #15 received at 1016139@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I said:
> I had uploaded net-snmp 5.9.3 anyway but I'll add those CVEs to the
> changelog.
> I'm trying to find where they've made the changes to see if it is possible
> to get at least bullseye fixed.
>
I've had a look and believe these two commits are the fixes:
snmpd: fix bounds checking in NET-SNMP-AGENT-MIB, NET-SNMP-VACM-MIB,
SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB
https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937
snmpd: recover SET status from delegated request
https://github.com/net-snmp/net-snmp/commit/9a0cd7c00947d5e1c6ceb54558d454f87c3b8341
Both sets of commits look pretty clear and simple to implement. I've asked
upstream to confirm these are the only two patches.
- Craig
[Message part 2 (text/html, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jul 28 13:17:17 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.