It was found that snmp_oid_compare in snmplib/snmp_api.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an unauthenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. References: https://dumpco.re/blog/net-snmp-5.7.3-remote-dos Upstream patch: https://sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d/ https://sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791/
Created net-snmp tracking bugs for this issue: Affects: fedora-all [bug 1637573]
Unable to reproduce on on Fedora or RHEL5/7. Going to try to build a version without our patches and see if it reproduces, then try and backtrace why or why this isn't working.
Had to modify reproducer a bit to get it working. Reproduces on RHEL7 as an assert/segfault.
Note that the attacker needs to know the community string to successfully trigger the fault/denial of service here. The default is "public", so I'll leave the CVSS score privileges required field as unauthenticated as I'm sure there are many cases where the default community string is not changed.
Is this related to CVE-2015-5621?
See: https://seclists.org/oss-sec/2018/q4/26
(In reply to Charlie Brady from comment #7) > Is this related to CVE-2015-5621? I suppose, it's the same, due fix for this issue has been created in 2015.
(In reply to Scott Gayou from comment #3) > Had to modify reproducer a bit to get it working. Reproduces on RHEL7 as an > assert/segfault. Hi Scott, Please share the steps to reproduce this vulnerability along with any mitigation information that would be helpful in this scenario. Regards, Sonu Khan
Mitigation: Configuring snmp with a secret community string makes this attack much more difficult to perform, as the attacker must guess the community string in order to exploit the vulnerability. Protecting the snmp service with host firewall rules to prevent unauthorized hosts from sending messages to the snmp service will prevent this attack being carried out by users of other hosts on the network. Either or both of these steps is recommended to prevent potential attackers from gaining extra information about network devices and topology, and from causing undue load to snmp services.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1081 https://access.redhat.com/errata/RHSA-2020:1081
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-18066
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2020:2539 https://access.redhat.com/errata/RHSA-2020:2539