Debian Bug report logs -
#966599
snmpd: Elevation of Privileges due to symlink handling (CVE-2020-15861)
Reported by: Craig Small <csmall@debian.org>
Date: Fri, 31 Jul 2020 08:54:02 UTC
Severity: grave
Tags: security, upstream
Found in versions net-snmp/5.8+dfsg-4, net-snmp/5.7.3+dfsg-5
Fixed in version net-snmp/5.8+dfsg-5
Done: Craig Small <csmall@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>:
Bug#966599; Package snmpd.
(Fri, 31 Jul 2020 08:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Craig Small <csmall@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>.
(Fri, 31 Jul 2020 08:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: snmpd
Version: 5.8+dfsg-4
Severity: grave
Tags: security upstream
Justification: user security hole
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
CVE-2020-15861
snmpd runs as a low privileged user account. However, in combination with
the *snmp-mibs-downloader package* this protection can be bypassed and it is
possible for this account to elevate permissions to the root user.
This attack happens due to how snmpd handles symlinks.
References:
https://github.com/net-snmp/net-snmp/issues/145
https://github.com/net-snmp/net-snmp/commit/4fd9a450444a434a993bc72f7c3486ccce41f602
This security vulnerability was found by Tobias Neitzel of usd AG.
- -- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages snmpd depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.73
ii init-system-helpers 1.57
ii libc6 2.30-2
ii libsnmp-base 5.8+dfsg-2
ii libsnmp35 5.8+dfsg-4
ii lsb-base 11.1.0
snmpd recommends no packages.
Versions of packages snmpd suggests:
ii snmptrapd 5.8+dfsg-4
- -- Configuration Files:
/etc/snmp/snmpd.conf changed [not included]
- -- debconf information excluded
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl8j268SHGNzbWFsbEBk
ZWJpYW4ub3JnAAoJEAIhZsD/PITjzj0P/ReencZCeEbL/F2lznh8AhH42fC6tpi9
1McAS/calfYn9wFUTIfqi9JemMVjx8+2m0c6qW0/Yz698CACS45eUY4xTK9ejLEM
Lezi2kQDLZwGHLfMIcd4U3DSC3ZNlFomOT0Idl43q2yiqHLYdXzxWaVSfgAHxLB2
ElBHSAS+UYCgp7Jd38oEZ5++rTUw5dKb249IiUee+AMCUToCHMes0abJ4r7D79ow
PCIV410f1m1WlPJa5nWD/MioSnjdR2v9gmkuzmTq5Qjl6ShOR2B7Fh4/NWXzegXh
Tu7MPeSAa7VnybicwIACzo7M7YvVBsw32CTtJZnOKFFU/Xrg6j/cUvTkpKuB+c+W
D3dTgjieMRC0Gfc6aIAGE+nTOP4xMjLGGyhAxgBKp2THlZksO5ZSA4KXGswGLygl
N19qe30Xy0ROuAKPMChNRmJXw0M+/pY2AX91QJUqGhvkXPfNBmtiy6LHyFo2RRCk
yOlAC/8oQH8uHp1x7SUe02tiogbsLY/Yn6HTuvlo89Bt7UK2ifQXyqUkapySF3nw
QDRFDh8+hkCvAubcW2ViEAY2n0Mca0+zeN5FyxK3PINSU6iz1zT2L3NI2HhIrZuZ
3YXCDQJe2jYa/LpeeBaR3TdY6ArDiwrkpzTwsOfltc4BzMyzUt1/7ccnhhNZo9N1
xwiQIxBbfw7b
=Rnwp
-----END PGP SIGNATURE-----
Marked as found in versions net-snmp/5.7.3+dfsg-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 31 Jul 2020 11:12:08 GMT) (full text, mbox, link).
Reply sent
to Craig Small <csmall@debian.org>:
You have taken responsibility.
(Fri, 31 Jul 2020 11:12:14 GMT) (full text, mbox, link).
Notification sent
to Craig Small <csmall@debian.org>:
Bug acknowledged by developer.
(Fri, 31 Jul 2020 11:12:14 GMT) (full text, mbox, link).
Message #12 received at 966599-close@bugs.debian.org (full text, mbox, reply):
Source: net-snmp
Source-Version: 5.8+dfsg-5
Done: Craig Small <csmall@debian.org>
We believe that the bug you reported is fixed in the latest version of
net-snmp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 966599@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated net-snmp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 31 Jul 2020 20:29:41 +1000
Source: net-snmp
Architecture: source
Version: 5.8+dfsg-5
Distribution: unstable
Urgency: medium
Maintainer: Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>
Changed-By: Craig Small <csmall@debian.org>
Closes: 966544 966599
Changes:
net-snmp (5.8+dfsg-5) unstable; urgency=medium
.
* Allow extend to be read-only Closes: #966544
* Stop using mib_index files CVE-2020-15861 Closes: 966599
Checksums-Sha1:
c078975bd5c23c1ad903da93dcf13a31baa57c9c 2812 net-snmp_5.8+dfsg-5.dsc
abd8867c8751fcf7b25ff4b1a4aae0661352d6ee 77296 net-snmp_5.8+dfsg-5.debian.tar.xz
8067492ac9e2b67ad7ec09268cacb11aa0ed9d8c 9896 net-snmp_5.8+dfsg-5_amd64.buildinfo
Checksums-Sha256:
2b46f745b2e321061c45ff6d9039d35addedef236203e386f6be71b18126fb73 2812 net-snmp_5.8+dfsg-5.dsc
3097a16b7538f9d492844a54e4dfea8ab80110f0b0b2b5f17cc95b09da99e78e 77296 net-snmp_5.8+dfsg-5.debian.tar.xz
8cdeaf05ed1440d2a37618634faa6fbebd9d32cfd9f61abe280dd1521d601c08 9896 net-snmp_5.8+dfsg-5_amd64.buildinfo
Files:
798e4bbdcd5db65374aa293d5d354ab8 2812 net optional net-snmp_5.8+dfsg-5.dsc
fe50a3169add1bc0654867b76a857956 77296 net optional net-snmp_5.8+dfsg-5.debian.tar.xz
329199d0a038e6cc5a3e6cf43de1b2f8 9896 net optional net-snmp_5.8+dfsg-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl8j85gACgkQAiFmwP88
hOMw+A//WqKTRW+vHbXyLaXbtqxnvkCCu7CCV6IkOgUv6HrQU4pO//Tl7MQQHU54
s2OucQNz7h74LaHyLbe8hsUZgcRVHidVSsCp5IB0epoEypD3aeH5DubbdVVOItsw
sL9Sad4WsLy3pYnO1xp6i6YwfjA5nsXLQXdorzdfDDIAcsOO8AhkJx40s4E/Uzqt
wgI/S5v21eqBExo1mg2h45xAbTr18T9IkHBghtCTGo7qI/+Qv7xpkT67XhV7Ah4p
8I1aVROnBPGTOpu4wN6y7CtkAvkR4rTuU/RZ310YjEuHur2JCskWWMf2c9VtDkQb
72dO2V/nQb+YQIsrffzUcAIArQAnAlf9v5PSvSQYNrzlQ53Oxvv5NZEGEQrbdw8H
E3ukjf1knQhbdtUUB+1IKqV6UUtfPwPMzedHW5vwh4AleLJL5KxSgf6ReNDlaLj1
ZtCR8TiQGqacb+FF/rIZ1sKHhdmM3LSE/e3lIy8xEiFmo9+9NYSXJzhtMgMXbmbq
DRbxssdIwEymhF8x9yaHzzcUUIVrXzXmaKKVALCkwLxocXykrMIp5C8nxORk1wCQ
or2tRG27XWFIaqv2eK+0wxiS/Yl0di1LoWjql9EMCsY8HpWxRIiwmiAfeoBR9+R4
DKYc4mz3PxoDildbqOMp3gc0ievRaou0UP4Z1ohEYEtMBZjetvw=
=S0Ch
-----END PGP SIGNATURE-----
Changed Bug title to 'snmpd: Elevation of Privileges due to symlink handling (CVE-2020-15861)' from 'snmpd: Elevation of Privileges due to symlink handling'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 01 Aug 2020 08:03:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Aug 1 09:13:37 2020;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon