[Pkg-net-snmp-devel] Bug#966599: snmpd: Elevation of Privileges due to symlink handling

Craig Small csmall at debian.org
Fri Jul 31 09:52:10 BST 2020 

Package: snmpd
Version: 5.8+dfsg-4
Severity: grave
Tags: security upstream
Justification: user security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2020-15861

snmpd runs as a low privileged user account. However, in combination with
the *snmp-mibs-downloader package* this protection can be bypassed and it is
possible for this account to elevate permissions to the root user.

This attack happens due to how snmpd handles symlinks.

References:
 https://github.com/net-snmp/net-snmp/issues/145
 https://github.com/net-snmp/net-snmp/commit/4fd9a450444a434a993bc72f7c3486ccce41f602

This security vulnerability was found by Tobias Neitzel of usd AG.


- -- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages snmpd depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.73
ii  init-system-helpers    1.57
ii  libc6                  2.30-2
ii  libsnmp-base           5.8+dfsg-2
ii  libsnmp35              5.8+dfsg-4
ii  lsb-base               11.1.0

snmpd recommends no packages.

Versions of packages snmpd suggests:
ii  snmptrapd  5.8+dfsg-4

- -- Configuration Files:
/etc/snmp/snmpd.conf changed [not included]

- -- debconf information excluded

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl8j268SHGNzbWFsbEBk
ZWJpYW4ub3JnAAoJEAIhZsD/PITjzj0P/ReencZCeEbL/F2lznh8AhH42fC6tpi9
1McAS/calfYn9wFUTIfqi9JemMVjx8+2m0c6qW0/Yz698CACS45eUY4xTK9ejLEM
Lezi2kQDLZwGHLfMIcd4U3DSC3ZNlFomOT0Idl43q2yiqHLYdXzxWaVSfgAHxLB2
ElBHSAS+UYCgp7Jd38oEZ5++rTUw5dKb249IiUee+AMCUToCHMes0abJ4r7D79ow
PCIV410f1m1WlPJa5nWD/MioSnjdR2v9gmkuzmTq5Qjl6ShOR2B7Fh2/NWXzegXh
Tu7MPeSAa7VnybicwIACzo7M7YvVBsw32CTtJZnOKFFU/Xrg6j/cUvTkpKuB+c+W
D3dTgjieMRC0Gfc6aIAGE+nTOP4xMjLGGyhAxgBKp2THlZksO5ZSA4KXGswGLygl
N19qe30Xy0ROuAKPMChNRmJXw0M+/pY2AX91QJUqGhvkXPfNBmtiy6LHyFo2RRCk
yOlAC/8oQH8uHp1x7SUe02tiogbsLY/Yn6HTuvlo89Bt7UK2ifQXyqUkapySF3nw
QDRFDh8+hkCvAubcW2ViEAY2n0Mca0+zeN5FyxK3PINSU6iz1zT2L3NI2HhIrZuZ
3YXCDQJe2jYa/LpeeBaR3TdY6ArDiwrkpzTwsOfltc4BzMyzUt1/7ccnhhNZo9N1
xwiQIxBbfw7b
=Rnwp
-----END PGP SIGNATURE-----

More information about the Pkg-net-snmp-devel mailing list