Bug 1637572 (CVE-2018-18066) - CVE-2018-18066 net-snmp: NULL pointer exception in snmp_oid_compare in snmplib/snmp_api.c resulting in a denial of service
Summary: CVE-2018-18066 net-snmp: NULL pointer exception in snmp_oid_compare in snmpli...
Alias: CVE-2018-18066
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1637573 1638911 1836285
Blocks: 1637575
TreeView+ depends on / blocked
Reported: 2018-10-09 13:57 UTC by Andrej Nemec
Modified: 2023-09-07 19:26 UTC (History)
6 users (show)

Fixed In Version: net-snmp 5.8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-03-31 22:33:24 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1081 0 None None None 2020-03-31 19:21:28 UTC
Red Hat Product Errata RHSA-2020:2539 0 None None None 2020-06-12 13:02:38 UTC

Description Andrej Nemec 2018-10-09 13:57:50 UTC
It was found that snmp_oid_compare in snmplib/snmp_api.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an unauthenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.



Upstream patch:


Comment 1 Andrej Nemec 2018-10-09 13:59:22 UTC
Created net-snmp tracking bugs for this issue:

Affects: fedora-all [bug 1637573]

Comment 2 Scott Gayou 2018-10-11 21:17:40 UTC
Unable to reproduce on on Fedora or RHEL5/7. Going to try to build a version without our patches and see if it reproduces, then try and backtrace why or why this isn't working.

Comment 3 Scott Gayou 2018-10-12 16:50:59 UTC
Had to modify reproducer a bit to get it working. Reproduces on RHEL7 as an assert/segfault.

Comment 4 Scott Gayou 2018-10-12 17:00:46 UTC
Note that the attacker needs to know the community string to successfully trigger the fault/denial of service here. The default is "public", so I'll leave the CVSS score privileges required field as unauthenticated as I'm sure there are many cases where the default community string is not changed.

Comment 7 Charlie Brady 2019-05-08 17:05:13 UTC
Is this related to CVE-2015-5621?

Comment 8 Charlie Brady 2019-05-08 17:06:20 UTC


Comment 9 Josef Ridky 2019-05-09 06:44:31 UTC
(In reply to Charlie Brady from comment #7)
> Is this related to CVE-2015-5621?

I suppose, it's the same, due fix for this issue has been created in 2015.

Comment 10 Sonu Khan 2020-01-24 10:23:53 UTC
(In reply to Scott Gayou from comment #3)
> Had to modify reproducer a bit to get it working. Reproduces on RHEL7 as an
> assert/segfault.

Hi Scott,

Please share the steps to reproduce this vulnerability along with any mitigation information that would be helpful in this scenario.

Sonu Khan

Comment 12 Doran Moppert 2020-02-14 00:50:59 UTC

Configuring snmp with a secret community string makes this attack much more difficult to perform, as the attacker must guess the community string in order to exploit the vulnerability.

Protecting the snmp service with host firewall rules to prevent unauthorized hosts from sending messages to the snmp service will prevent this attack being carried out by users of other hosts on the network.

Either or both of these steps is recommended to prevent potential attackers from gaining extra information about network devices and topology, and from causing undue load to snmp services.

Comment 13 errata-xmlrpc 2020-03-31 19:21:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1081 https://access.redhat.com/errata/RHSA-2020:1081

Comment 14 Product Security DevOps Team 2020-03-31 22:33:24 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 17 errata-xmlrpc 2020-06-12 13:02:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:2539 https://access.redhat.com/errata/RHSA-2020:2539

Note You need to log in before you can comment on or make changes to this bug.