Public Vulnerability Reports

Net-SNMP denial-of-service



The Net-SNMP package, formerly known as ucd-snmp, is a suite of tools relating to the Simple Network Management Protocol (SNMP). It includes an extensible agent, an SNMP daemon, tools to request or set information from SNMP agents, tools to generate and handle SNMP traps, a version of the Unix 'netstat' command using SNMP, and a
graphical Perl/Tk/SNMP based mib browser. More information about the package is available at


The SNMP daemon included in the Net-SNMP package can be crashed if it attempts to process a specially crafted packet. Exploitation requires foreknowledge of a known SNMP community string (either read or read/write). This issue potentially affects any Net-SNMP installation in which the "public" read-only community string has not
been changed.


By sending the SNMP daemon a packet without having first setup a session, a vulnerability in the following segment of code from agent/snmp_agent.c, handle_var_requests(), line 1,876, can be exploited:

    for (i = 0; i <= asp->treecache_num; i++) {
        reginfo = asp->treecache[i].subtree->reginfo;
        status = netsnmp_call_handlers(reginfo, asp->reqinfo,

Despite the fact that "asp->treecache_num" is NULL, the "<=" comparison in the for() loop allows entry into the block. At this point, the SNMP daemon attempts to de-reference a NULL pointer leading to a SIGSEGV. Since the SNMP daemon must parse the attack packet, an attacker must pass the appropriate ACL (public/read is sufficient).


Net-SNMP 5.0.1, 5.0.3 and 5.0.4.pre2 are vulnerable.


Restart the affected SNMP daemon to restore normal functionality.


Net-SNMP 5.0.5 has been released which fixes the described vulnerability. It is available at


The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1170 to this issue.


09/01/2002 Issue disclosed to iDEFENSE
09/24/2002 Maintainer of Net-SNMP notified at http://net-
09/24/2002 iDEFENSE clients notified
09/27/2002 Response received from Wes Hardaker (
10/01/2002 Vendor fix made available
10/02/2002 Issue disclosed to public


Andrew Griffiths ( is credited with discovering this vulnerability.