Welcome, Guest! Log In | Create Account

Share April 2005: Project of the Month

net-snmp

Tracker: Bugs

8 CVE-2008-4309: GETBULK max-repetitions Denial of Service - ID: 2205039
Last Update: Comment added ( nobody )

ZDI-CAN-395:

In accordance with our disclosure policy we are writing to inform you of
a security vulnerability affecting:

Net-SNMP Net-SNMP

The details of the issue are available in the attached advisory
attached.

This vulnerability was processed through the Zero Day Initiative (ZDI),
an initiative launched by TippingPoint. The ZDI is designed to reward
security researchers for responsibly disclosing discovered
vulnerabilities. Further information regarding the ZDI is available at:

http://www.zerodayinitiative.com

Please confirm receipt of this report within 5 business days. We wish to
coordinate a public release date for this information once a patch has
been developed and made publicly available. Please keep us updated
regarding the status of this issue and feel free to contact us at any
time.

The PGP key used for all ZDI vendor communications is available from:

http://www.zerodayinitiative.com/documents/zdi-pgp-key.asc

Thank you for your time.

Zero Day Initiative ( zdi-disclosures ) - 2008-10-28 18:58

8

Closed

Fixed

Nobody/Anonymous

security

linux

Public


Comments ( 8 )

Date: 2008-12-07 03:48
Sender: nobody

H8hzxn <a href="http://tzhofozfsfsb.com/">tzhofozfsfsb</a>,
[url=http://pmgbxezxhydv.com/]pmgbxezxhydv[/url],
[link=http://xrmtpzqvvdba.com/]xrmtpzqvvdba[/link],
http://iiesiqndufjs.com/

Date: 2008-11-01 00:01
Sender: tanders

See SVN Revision 17272. The security releases for the older branches are
5.3.2.3 and 5.2.5.1.

Date: 2008-10-31 17:02
Sender: hardakerProject Admin

Fixed in version 5.4.2.1 and others; thanks for the report!

Date: 2008-10-31 14:43
Sender: jsafranek

Is the bug exploitable for code execution? If we allocate too short buffer
and we write behind it's boundary, is it ensured that the attacker cannot
influence what gets written there? Looking into the code I can see it's
array of pointers, so it looks safe to me, but I'd like to hear your
opinions too.

Date: 2008-10-30 04:26
Sender: hardakerProject Admin

Will do, thanks for providing the name.

Date: 2008-10-29 16:55
Sender: zdi-disclosures

It looks like you're right about the incorrect analysis, sorry for the
oversight there. If you release an advisory/changelog credit, can you make
sure to credit Oscar Mira-Sanchez and not the Zero Day Initiative?

Date: 2008-10-28 23:37
Sender: hardakerProject Admin

I haven't checked the attached patch, but I do agree the code as is has the
problem stated.

However! part of the analysis is wrong. Namely the part that says
"Authentication is not required to exploit this vulnerability." isn't true.
You MUST have a valid path to get into the agent (ie, a valid SNMPv3 user
or a valid SNMPv2c community name). If you don't have these, you can't get
in.

The issue still exists for insider attacks, however, but can't be
exploited via just anyone.

Date: 2008-10-28 22:58
Sender: magfr

I think the attached patch solves the problem but I would like to get a
second opinion.

Proposed for 5.2--HEAD
File Added: patch-2205039

Attached Files ( 2 )

Filename Description Download
vendor-ZDI-CAN-395.txt Full Advisory Download
patch-2205039 Patch to enforce that no overflow occurs Download

Changes ( 10 )

Field Old Value Date By
close_date - 2008-11-01 00:01 tanders
resolution_id None 2008-11-01 00:01 tanders
priority 9 2008-11-01 00:01 tanders
summary Net-SNMP SNMPD GETBULK max-repetitions Denial of Service 2008-11-01 00:01 tanders
is_private 1 2008-11-01 00:01 tanders
status_id Open 2008-11-01 00:01 tanders
priority 5 2008-10-28 23:09 tanders
is_private 0 2008-10-28 23:09 tanders
File Added 299341: patch-2205039 2008-10-28 22:58 magfr
File Added 299311: vendor-ZDI-CAN-395.txt 2008-10-28 18:58 zdi-disclosures


About SourceForge

Find Software

Develop Software

Community

Help

Copyright © 2010 Geeknet, Inc. All rights reserved. Terms of Use