net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 CVE-2022-24806 CVE-2022-24805

Debian Bug report logs - #1016139
net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 CVE-2022-24806 CVE-2022-24805

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: submit@bugs.debian.org

Subject: net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 CVE-2022-24806 CVE-2022-24805

Date: Wed, 27 Jul 2022 22:55:55 +0200

Source: net-snmp
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for net-snmp.

5.9.3 fixes the following issues:

- These two CVEs can be exploited by a user with read-only credentials:
    - CVE-2022-24805 A buffer overflow in the handling of the INDEX of
      NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
    - CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable
      can cause a NULL pointer dereference.
    - These CVEs can be exploited by a user with read-write credentials:
        - CVE-2022-24806 Improper Input Validation when SETing malformed
          OIDs in master agent and subagent simultaneously
        - CVE-2022-24807 A malformed OID in a SET request to
          SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an
          out-of-bounds memory access.
        - CVE-2022-24808 A malformed OID in a SET request to
          NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
        - CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable
          can cause a NULL pointer dereference.
   - To avoid these flaws, use strong SNMPv3 credentials and do not share them.
     If you must use SNMPv1 or SNMPv2c, use a complex community string
     and enhance the protection by restricting access to a given IP address range.
   - Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for
     reporting the following CVEs that have been fixed in this release, and
     to Arista Networks for providing fixes.

Please adjust the affected versions in the BTS as needed.

Message #10 received at 1016139-done@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 1016139-done@bugs.debian.org

Subject: Fixed in net-snmp 5.9.3+dfsg-1

Date: Thu, 28 Jul 2022 20:58:24 +1000

[Message part 1 (text/plain, inline)]

Source: net-snmp
Version: 5.9.3+dfsg-1

I had uploaded net-snmp 5.9.3 anyway but I'll add those CVEs to the
changelog.
I'm trying to find where they've made the changes to see if it is possible
to get at least bullseye fixed.

[Message part 2 (text/html, inline)]

Message #15 received at 1016139@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 1016139@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#1016139: (net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 CVE-2022-24806 CVE-2022-24805)

Date: Thu, 28 Jul 2022 21:25:44 +1000

[Message part 1 (text/plain, inline)]

I said:

> I had uploaded net-snmp 5.9.3 anyway but I'll add those CVEs to the
> changelog.
> I'm trying to find where they've made the changes to see if it is possible
> to get at least bullseye fixed.
>
I've had a look and believe these two commits are the fixes:

snmpd: fix bounds checking in NET-SNMP-AGENT-MIB, NET-SNMP-VACM-MIB,
SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB
https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937

snmpd: recover SET status from delegated request
https://github.com/net-snmp/net-snmp/commit/9a0cd7c00947d5e1c6ceb54558d454f87c3b8341

Both sets of commits look pretty clear and simple to implement. I've asked
upstream to confirm these are the only two patches.

 - Craig

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.