Public Vulnerability Reports

Net-SNMP denial-of-service

10.02.02

BACKGROUND

The Net-SNMP package, formerly known as ucd-snmp, is a suite of tools relating to the Simple Network Management Protocol (SNMP). It includes an extensible agent, an SNMP daemon, tools to request or set information from SNMP agents, tools to generate and handle SNMP traps, a version of the Unix 'netstat' command using SNMP, and a
graphical Perl/Tk/SNMP based mib browser. More information about the package is available at http://net-snmp.sourceforge.net.

DESCRIPTION

The SNMP daemon included in the Net-SNMP package can be crashed if it attempts to process a specially crafted packet. Exploitation requires foreknowledge of a known SNMP community string (either read or read/write). This issue potentially affects any Net-SNMP installation in which the "public" read-only community string has not
been changed.

ANALYSIS

By sending the SNMP daemon a packet without having first setup a session, a vulnerability in the following segment of code from agent/snmp_agent.c, handle_var_requests(), line 1,876, can be exploited:

    for (i = 0; i <= asp->treecache_num; i++) {
        reginfo = asp->treecache[i].subtree->reginfo;
        status = netsnmp_call_handlers(reginfo, asp->reqinfo,
                     asp->treecache[i].requests_begin);

Despite the fact that "asp->treecache_num" is NULL, the "<=" comparison in the for() loop allows entry into the block. At this point, the SNMP daemon attempts to de-reference a NULL pointer leading to a SIGSEGV. Since the SNMP daemon must parse the attack packet, an attacker must pass the appropriate ACL (public/read is sufficient).

DETECTION

Net-SNMP 5.0.1, 5.0.3 and 5.0.4.pre2 are vulnerable.

WORKAROUND

Restart the affected SNMP daemon to restore normal functionality.

VENDOR RESPONSE

Net-SNMP 5.0.5 has been released which fixes the described vulnerability. It is available at http://sourceforge.net/project/showfiles.php?group_id=12694.

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1170 to this issue.

DISCLOSURE TIMELINE

09/01/2002 Issue disclosed to iDEFENSE
09/24/2002 Maintainer of Net-SNMP notified at http://net- snmp.sourceforge.net
09/24/2002 iDEFENSE clients notified
09/27/2002 Response received from Wes Hardaker (hardaker@users.sourceforge.net)
10/01/2002 Vendor fix made available
10/02/2002 Issue disclosed to public

CREDIT

Andrew Griffiths (andrewg@d2.net.au) is credited with discovering this vulnerability.