Bug 1637572 (CVE-2018-18066)
| Summary: | CVE-2018-18066 net-snmp: NULL pointer exception in snmp_oid_compare in snmplib/snmp_api.c resulting in a denial of service | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | akjain, charlieb-fedora-bugzilla, jridky, jsafrane, sonu.khan, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | net-snmp 5.8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-31 22:33:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1637573, 1638911, 1836285 | ||
| Bug Blocks: | 1637575 | ||
|
Description
Andrej Nemec
2018-10-09 13:57:50 UTC
Created net-snmp tracking bugs for this issue: Affects: fedora-all [bug 1637573] Unable to reproduce on on Fedora or RHEL5/7. Going to try to build a version without our patches and see if it reproduces, then try and backtrace why or why this isn't working. Had to modify reproducer a bit to get it working. Reproduces on RHEL7 as an assert/segfault. Note that the attacker needs to know the community string to successfully trigger the fault/denial of service here. The default is "public", so I'll leave the CVSS score privileges required field as unauthenticated as I'm sure there are many cases where the default community string is not changed. Is this related to CVE-2015-5621? (In reply to Charlie Brady from comment #7) > Is this related to CVE-2015-5621? I suppose, it's the same, due fix for this issue has been created in 2015. (In reply to Scott Gayou from comment #3) > Had to modify reproducer a bit to get it working. Reproduces on RHEL7 as an > assert/segfault. Hi Scott, Please share the steps to reproduce this vulnerability along with any mitigation information that would be helpful in this scenario. Regards, Sonu Khan Mitigation: Configuring snmp with a secret community string makes this attack much more difficult to perform, as the attacker must guess the community string in order to exploit the vulnerability. Protecting the snmp service with host firewall rules to prevent unauthorized hosts from sending messages to the snmp service will prevent this attack being carried out by users of other hosts on the network. Either or both of these steps is recommended to prevent potential attackers from gaining extra information about network devices and topology, and from causing undue load to snmp services. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1081 https://access.redhat.com/errata/RHSA-2020:1081 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-18066 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2020:2539 https://access.redhat.com/errata/RHSA-2020:2539 |