Bug 1174821 (CVE-2020-15861)

Summary: VUL-0: CVE-2020-15861: net-snmp: privilege escalation to root when snmp-mibs-downloader is used
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Alexander Bergmann <abergmann>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: abergmann, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/264628/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-15861:7.1:(AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2020-08-03 09:17:16 UTC

In combination with the *snmp-mibs-downloader package* this protection can be bypassed and it is possible for this account to elevate permissions to the root user.

Upstream Issue:


Upstream Commit:


Comment 2 Alexander Bergmann 2020-09-02 10:24:30 UTC

The snmpd under SLE is running as root user. As the daemon is running already as root, elevate permission to the root user is not possible. Therefore we are not affected.

Furthermore, the *snmp-mibs-downloader package* is not available via the SLE repositories and must be installed manually by the administrator.