[Pkg-net-snmp-devel] CVE-2008-6123 applies to snmpd in lucid (and sid)

Corey Wright undefined at pobox.com
Mon May 31 07:28:53 UTC 2010 

SUMMARY
-------

snmpd in lucid (5.4.2.1~dfsg0ubuntu1-0ubuntu2) is vulnerable to
CVE-2008-6123 contrary to what its changelog says.

the attached patch was applied to the aforementioned version, compiled in a
pbuilder lucid chroot (on lenny), and the resulting packages (libsnmp-base,
libsnmp15, snmp, snmpd) were successfully tested on lucid-i386.

i also downloaded sid's 5.4.2.1~dfsg-5 source and it appears to be
vulnerable based on its snmplib/snmpUDPDomain.c and the lack of any
applicable patch(es) in debian/patches.

REFERENCES
----------

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6123
http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&revision=17367
http://net-snmp.svn.sourceforge.net/viewvc/net-snmp/branches/V5-4-patches/net-snmp/snmplib/snmpUDPDomain.c?r1=17367&r2=17366&pathrev=17367

BACKGROUND
----------

i recently upgraded a netbook from hardy to lucid by installing lucid to a
new hard drive and copying/merging the old configuration.  after installing
snmpd and merging/copying the associated configuration files
(/etc/default/snmpd, /etc/snmp/snmpd.conf, /etc/hosts.allow,
& /etc/hosts.deny) it rejected connections from my cacti installation
residing on the network (the only IP allowed to connect to it based on the
tcp-wrapper's ACL). i also noticed that the syslog output was incorrect:

snmpd[$PID]: Connection from UDP: [$LOCAL_IP]->[$REMOTE_IP]:-13093 REFUSED

yes, the remote port is negative due to "%hd" in the packages'
snmplib/snmpUDPDomain.c, but is "%hu" upstream and fixed in the attached
patch.

PROBLEM
-------

snmpd improperly applies tcp-wrapper ACLs because it calls tcp-wrapper's
hosts_ctl (see netsnmp_agent_check_packet() in agent/snmp_agent.c) with it's
local IP address as the "client_addr" (instead of the snmp client's remote
IP address) because of incorrect string assembly (see netsnmp_udp_fmtaddr()
in snmplib/snmpUDPDomain.c).

SOLUTION
--------

searching for snmpd bugs related to tcp wrappers, i found debian bug
#516801.  i downloaded and browsed the ubuntu source package, reviewed
agent/snmp_agent.c where tcp-wrappers' hosts_ctl() is called, backtracked
to snmplib/snmpUDPDomain.c where the string is constructed that
snmp_agent.c deconstructs for hosts_ctl(), and verified that upstream's
CVE-2008-6123 patch for v5.4 is still applicable (though compensating for
"%hd" in debian/ubuntu source).

i added the patch to the package using quilt, rebuilt the package,
installed it, and it works correctly:

snmpd[$PID]: Connection from UDP: [$REMOTE_IP]:53735->[$LOCAL_IP]

thanks for providing the net-snmp packages!

corey
-- 
undefined at pobox.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2008-6123-ubuntu-lucid.patch
Type: text/x-diff
Size: 3057 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-net-snmp-devel/attachments/20100531/74e720d0/attachment.patch>

More information about the Pkg-net-snmp-devel mailing list