Bug 1074631 (CVE-2014-2310)

Summary: CVE-2014-2310 net-snmp: AgentX incorrectly handles multi-object requests leading to DoS
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jkurik, jsafrane, mmcallis, pfrields, thozza
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: net-snmp 5.4.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-14 06:24:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1070397    

Description Vincent Danen 2014-03-10 17:24:27 UTC 
It was reported [1],[2]that the AgentX subagent of net-snmp could be stalled when a manager sent a multi-object request with a different number subids.  This could lead to a denial of service.

This has been corrected upstream in version 5.4.4 [3]; only earlier versiona are affected.  This means that Fedora and Red Hat Enterprise Linux 6 are not affected, however Red Hat Enterprise Linux 5 does ship a vulnerable version (5.3.x).

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684388
[2] http://seclists.org/oss-sec/2014/q1/513
[3] http://sourceforge.net/p/net-snmp/patches/1113/


Statement:

This issue did not affect the version of the net-snmp packages as shipped with Red Hat Enterprise Linux 6.
Comment 1 Jan Safranek 2014-03-11 08:34:39 UTC 
I don't understand how this bug can lead to DoS. Sure, AgentX subagent won't parse certain GETNEXT messages, but it does not crash, it just reports ordinary error code.

And looking at the code, Net-SNMP as in RHEL 6.6 has the same bug.
Comment 3 Huzaifa S. Sidhpurwala 2014-03-14 06:22:49 UTC 
After analyzing this issue, it seems the only impact of this flaw would be denial of response to the attacker who initially sent the crafted request. It does not lead to denial of service to other users or daemon crash.

Therefore this is not a security flaw.
Comment 4 Huzaifa S. Sidhpurwala 2014-03-14 06:24:43 UTC 
Statement:

The Red Hat Security Response Team does not consider this issue to be a security flaw. For more information please refer to https://bugzilla.redhat.com/show_bug.cgi?id=1074631#c3