Bug 1212408 (CVE-2015-5621) - CVE-2015-5621 net-snmp: snmp_pdu_parse() incompletely parsed varBinds left in list of variables
Summary: CVE-2015-5621 net-snmp: snmp_pdu_parse() incompletely parsed varBinds left in...
Status: CLOSED ERRATA
Alias: CVE-2015-5621
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150413,repor...
Keywords: Security
Depends On: 1212412 1248410 1248411 1248412 1248414
Blocks: 1202791
TreeView+ depends on / blocked
 
Reported: 2015-04-16 11:01 UTC by Stefan Cornelius
Modified: 2018-01-24 08:52 UTC (History)
6 users (show)

(edit)
It was discovered that the snmp_pdu_parse() function could leave incompletely parsed varBind variables in the list of variables. A remote, unauthenticated attacker could use this flaw to crash snmpd or, potentially, execute arbitrary code on the system with the privileges of the user running snmpd.
Clone Of:
(edit)
Last Closed: 2015-08-19 11:48:52 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1636 normal SHIPPED_LIVE Moderate: net-snmp security update 2015-08-17 23:32:53 UTC

Description Stefan Cornelius 2015-04-16 11:01:14 UTC
It was discovered that the snmp_pdu_parse() function could leave
incompletely parsed varBind variables in the list of variables in
case the parsing of the SNMP PDU failed. If later processing tries to
operate on the stale and incompletely processed varBind (e.g. when
printing the variables), this can lead to e.g. crashes or, possibly,
execution of arbitrary code (although I've only seen NULL pointer
dereferences during my testing, I currently can't rule out code
execution completely).

The snmp_pdu_parse() function stores varBind variables in a list of
netsnmp_variable_list structures. Each time the function parses a new
varBind, a new netsnmp_variable_list item is allocated on the heap
and linked to the list of variables. The problem is that this item
is not removed from the list, even if snmp_pdu_parse() fails to
complete the parsing.

The "type" member of the stale netsnmp_variable_list is not
properly initialized in case snmp_pdu_parse() returns early from the
parsing. However, the "type" member is used to determine later code
paths, which is why we see crashes in a variety of functions,
although the root cause for all of these is the same.


References:

Upstream patch:
https://sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791/

Upstream bug:
https://sourceforge.net/p/net-snmp/bugs/2615/ (possibly restricted)

Reporter's mail to oss-security:
http://www.openwall.com/lists/oss-security/2015/04/13/1

Comment 1 Stefan Cornelius 2015-04-16 11:05:25 UTC
Acknowledgements:

Red Hat would like to thank Qinghao Tang (QIHU 360) for reporting this issue.

Statement:

(none)

Comment 2 Stefan Cornelius 2015-04-16 11:06:35 UTC
Created net-snmp tracking bugs for this issue:

Affects: fedora-all [bug 1212412]

Comment 5 Gerd v. Egidy 2015-05-19 14:12:26 UTC
any news on this one?

It seems to me that this could lead to a remote DoS and maybe even remote code execution.

Comment 10 errata-xmlrpc 2015-08-17 19:33:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:1636 https://rhn.redhat.com/errata/RHSA-2015-1636.html


Note You need to log in before you can comment on or make changes to this bug.