Date: Thu, 13 Nov 2008 13:59:09 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/128837: [vuxml] net-mgmt/net-snmp and net-mgmt/net-snmp53: CVE-2008-4309 Message-ID: <20081113105909.ED4181AF419@void.codelabs.ru> Resent-Message-ID: <200811131100.mADB0BZV023342@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 128837 >Category: ports >Synopsis: [vuxml] net-mgmt/net-snmp and net-mgmt/net-snmp53: CVE-2008-4309 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 13 11:00:11 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: Denial of Service for the certain versions of agents from net-snmp packages. Citing by http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4309: ----- Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats. ----- >How-To-Repeat: Look at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4309 and references therein. >Fix: The following VuXML entry for this issue should be evaluated and added: --- vuln.xml begins here --- <vuln vid=""> <topic>net-snmp -- Denial of Service for SNMP agent via crafted GETBULK request</topic> <affects> <package> <name>net-snmp</name> <range><lt>5.4.2.1</lt></range> </package> <package> <name>net-snmp53</name> <range><lt>5.3.2.3</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Wes Hardaker reports through sourceforge.net forum:</p> <blockquote cite="http://sourceforge.net/forum/forum.php?forum_id=882903">; <p>SECURITY ISSUE: A bug in the getbulk handling code could let anyone with even minimal access crash the agent. If you have open access to your snmp agents (bad bad bad; stop doing that!) or if you don't trust everyone that does have access to your agents you should updated immediately to prevent potential denial of service attacks.</p> </blockquote> <p>Description at cve.mitre.org additionally clarifies:</p> <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4309">; <p>Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-4309</cvename> <url>http://sourceforge.net/forum/forum.php?forum_id=882903</url>; <url>http://www.openwall.com/lists/oss-security/2008/10/31/1</url>; <url>http://net-snmp.svn.sourceforge.net/viewvc/net-snmp/tags/Ext-5-2-5-1/net-snmp/agent/snmp_agent.c?r1=17271&r2=17272&pathrev=17272</url>; </references> <dates> <discovery>2008-10-31</discovery> </dates> </vuln> --- vuln.xml ends here --- Additionally, it will be very interesting if net-mgmt/net-snmp4 is vulnerable. I assume that 5.x was grown from the UCD's implementation, so it can share the common code. Currently I have no time to look at this, but if I'll do it, will report as the followup. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081113105909.ED4181AF419>