#2597 Possible security issue - failure in call to getpwuid() at snmpd.c:1059 is not treated as an error
Whilst backporting the initgroups feature from commit a1cb2fcf to an ancient version of ucd-snmp,
it was noted that the call to getpwuid() on line 1059 of snmpd.c has no explicit error handling
for cases where the pointer info is set to 0.
This issue is present in net-snmp at the git head on master.
Our security reviewer had the following to say:
This ignores the failure of getpwuid.
Can that happen? getpwnam has to have succeeded, which you might think means the
subsequent getpwuid must also succeed. But:
1. Suppose the user is deleted between the two calls. Well, that's pretty unlikely, and only a
privileged user can do it in any case. So a bit unlikely!
2. Suppose user info comes from LDAP or NIS, and we lose connectivity to the server between
the two calls. An attacker with sufficient network access might actually be able to achieve that.What are the affects of it happening? The process will proceed with root's set of additional
groups, perhaps giving it access to things it shouldn't have. i.e. a privilege escalation.So I think we should report an error and exit in this case, just as for initgroups failing.
That makes sense. Do you have a patch for it already?
Yes, we apply a patch (attached) to the v5.7.3 source archive, though we apply other patches first, but they have come from the v5.7.3-patches branch. We patch at -p1, you might need to increase the strip level.
Last edit: Darren Long 2016-06-28