Bug 1125155 (CVE-2014-3565)
| Summary: | CVE-2014-3565 net-snmp: snmptrapd crash when handling an SNMP trap containing a ifMtu with a NULL type | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | jrusnack, jsafrane, maurizio.antillon, security-response-team, sisharma, vkrizan | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: |
A denial of service flaw was found in the way snmptrapd handled certain SNMP traps when started with the "-OQ" option. If an attacker sent an SNMP trap containing a variable with a NULL type where an integer variable type was expected, it would cause snmptrapd to crash.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-11-20 05:16:50 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1124699, 1135828, 1209109, 1209361 | ||||||
| Bug Blocks: | 1125160, 1210268 | ||||||
| Attachments: |
|
||||||
|
Description
Murray McAllister
2014-07-31 08:22:08 UTC
(In reply to Murray McAllister from comment #0) > A remote denial-of-service flaw was found in the way snmptrapd handled SNMP > traps containing a ifMtu with a NULL type when started with the "-OQ" > option. Well, it's not about ifMtu, it's about *any* integer variable, disguised as Null in a SNMP trap. I used ifMtu just for testing, I did not have original HP MIB files. You know, SNMP objects have types. The types are described in a MIB file, usually part of a RFC. Problem is, when there is conflict between the definition of the object in the MIB file (which says the object is 'integer') and the trap packet itself (which says the object is 'null'). snmptrapd trusts the MIB file and does not check the type in the packet. Created attachment 931224 [details]
patch
This issue is public now: http://sourceforge.net/p/net-snmp/code/ci/7f4a7b891332899cea26e95be0337aae01648742/ Created net-snmp tracking bugs for this issue: Affects: fedora-all [bug 1135828] net-snmp-5.7.2-18.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. net-snmp-5.7.2-15.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. Explanation: Attacker can crash snmptrapd if "-OQ" argument is used to run snmptrapd by sending SNMP trap containing variable with a NULL where integer was expected, parser tries to parse NULL from the packet which leads to crash. No authentication is required to crash the snmptrapd. Statement: This issue affects the versions of net-snmp as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. net-snmp-5.7.2-23.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1385 https://rhn.redhat.com/errata/RHSA-2015-1385.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2345 https://rhn.redhat.com/errata/RHSA-2015-2345.html |