Bug 866942 - (CVE-2014-2284) VUL-0: CVE-2014-2284, CVE-2014-2285: net-snmp: two remote denial of service problems
(CVE-2014-2284)
VUL-0: CVE-2014-2284, CVE-2014-2285: net-snmp: two remote denial of service p...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/96779/
maint:released:sle10-sp3:56662 maint...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-05 15:26 UTC by Marcus Meissner
Modified: 2018-10-19 18:17 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-03-05 15:26:22 UTC
via oss-sec


Date: Wed, 05 Mar 2014 14:07:27 +0530
From: Huzaifa Sidhpurwala <huzaifas@redhat.com>
Subject: [oss-security] CVE request for two net-snmp remote DoS flaws

Hi All,

Two remote denial of service flaws were found in net-snmp details as below:

1. net-snmp: denial of service flaw in Linux implementation of ICMP-MIB
https://bugzilla.redhat.com/show_bug.cgi?id=1070396
http://sourceforge.net/p/net-snmp/code/ci/a1fd64716f6794c55c34d77e618210238a73bfa1/

2.net-snmp: snmptrapd crash when using a trap with empty community string
https://bugzilla.redhat.com/show_bug.cgi?id=1072778
https://bugzilla.redhat.com/show_bug.cgi?id=1072044
http://sourceforge.net/p/net-snmp/patches/1275/

Can 2 CVE be please assigned to these issues?


References:
http://comments.gmane.org/gmane.comp.security.oss.general/12284
http://sourceforge.net/p/net-snmp/patches/1275/
https://bugzilla.redhat.com/show_bug.cgi?id=1072778
https://bugzilla.redhat.com/show_bug.cgi?id=1072044
https://bugzilla.redhat.com/show_bug.cgi?id=1070396
Comment 1 Marcus Meissner 2014-03-05 15:29:00 UTC
(1) does only affect the net-snmp 5.5 series ... so it does not affect SLE11.

(2) seems to affect SLE11 and potential older versions.
Comment 2 Swamp Workflow Management 2014-03-05 23:00:48 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2014-03-06 06:26:40 UTC
from mitre

> 1. net-snmp: denial of service flaw in Linux implementation of ICMP-MIB

> https://bugzilla.redhat.com/show_bug.cgi?id=1070396
> http://sourceforge.net/p/net-snmp/code/ci/a1fd64716f6794c55c34d77e618210238a73bfa1/

A first look at the patch suggests that it's about missing input
validation, and not also about independently exploitable off-by-one
errors in the sizes of data structures. In other words, although
something like:

  - struct icmp_msg_mib vals[255];
  + struct icmp_msg_mib vals[256];

would often be an independent security fix (255 is an unusual size),
here it's not a security fix relative to the original code. If other
analysis shows that that's incorrect, we'll add another CVE ID.

Use CVE-2014-2284 for the missing input validation.


> 2. net-snmp: snmptrapd crash when using a trap with empty community string
> https://bugzilla.redhat.com/show_bug.cgi?id=1072778
> https://bugzilla.redhat.com/show_bug.cgi?id=1072044
> http://sourceforge.net/p/net-snmp/patches/1275/

Use CVE-2014-2285.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
Comment 4 Alexander Bergmann 2014-03-10 08:48:15 UTC
SLE11 is also affected by (1). The functionality was back-ported in 2008.

Patch: Add-ICMP-Statistics-Tables-support.patch
Comment 5 Bernhard Wiedemann 2014-03-10 18:00:20 UTC
This is an autogenerated message for OBS integration:
This bug (866942) was mentioned in
https://build.opensuse.org/request/show/225494 12.3 / net-snmp
https://build.opensuse.org/request/show/225495 13.1 / net-snmp
Comment 7 Swamp Workflow Management 2014-03-14 07:27:29 UTC
The SWAMPID for this issue is 56659.
This issue was rated as moderate.
Please submit fixed packages until 2014-03-28.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 8 SMASH SMASH 2014-03-14 07:30:15 UTC
Affected packages:

SLE-11-SP3: net-snmp
SLE-10-SP3-TERADATA: net-snmp
SLE-11-SP2: net-snmp
Comment 9 Alexander Bergmann 2014-03-14 13:20:13 UTC
Info: The reproducer for issue (2) from rhn#1072044 does not trigger the problem in openSUSE or SLE.
Comment 10 Swamp Workflow Management 2014-03-19 17:04:24 UTC
openSUSE-SU-2014:0398-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 866942
CVE References: CVE-2014-2284,CVE-2014-2285
Sources used:
openSUSE 13.1 (src):    net-snmp-5.7.2-9.4.1
openSUSE 12.3 (src):    net-snmp-5.7.2-3.8.1
Comment 11 Swamp Workflow Management 2014-03-19 19:04:27 UTC
openSUSE-SU-2014:0399-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 866942
CVE References: CVE-2014-2284,CVE-2014-2285
Sources used:
openSUSE 11.4 (src):    net-snmp-5.6.1-4.35.1
Comment 12 Alexander Bergmann 2014-04-09 09:49:10 UTC
CVE-2014-2284: ICMP-MIB potential remotely-triggerable denial of service attack
 * only a potential DoS problem. no reproducer.

CVE-2014-2285: snmptrapd crash when using a trap with empty community string 
 * The reproducer from rh#1072044 was not working for any SLE/openSUSE version.
 * The code was just extended with additional tests.
Comment 13 Swamp Workflow Management 2014-04-14 10:04:20 UTC
Update released for: net-snmp, net-snmp-devel, perl-SNMP
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 14 Swamp Workflow Management 2014-04-14 10:04:44 UTC
Update released for: libsnmp15, net-snmp, net-snmp-debuginfo, net-snmp-debugsource, net-snmp-devel, perl-SNMP, snmp-mibs
Products:
SLE-DEBUGINFO 11-SP1-TERADATA (x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 15 Swamp Workflow Management 2014-04-14 10:05:08 UTC
Update released for: net-snmp, net-snmp-debuginfo, net-snmp-devel, perl-SNMP
Products:
SLE-DEBUGINFO 10-SP3-TERADATA (x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 16 Swamp Workflow Management 2014-04-14 13:51:12 UTC
Update released for: libsnmp15, libsnmp15-32bit, libsnmp15-64bit, libsnmp15-x86, net-snmp, net-snmp-debuginfo, net-snmp-debugsource, net-snmp-devel, perl-SNMP, snmp-mibs
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 17 Alexander Bergmann 2014-04-14 15:50:43 UTC
Fixed and released. Closing bug.
Comment 18 Swamp Workflow Management 2014-04-14 17:04:36 UTC
SUSE-SU-2014:0524-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 866942,867349
CVE References: CVE-2014-2284,CVE-2014-2310
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    net-snmp-5.4.2.1-8.12.20.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    net-snmp-5.4.2.1-8.12.20.1
SUSE Linux Enterprise Server 11 SP3 (src):    net-snmp-5.4.2.1-8.12.20.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    net-snmp-5.4.2.1-8.12.20.1
Comment 20 Bernhard Wiedemann 2014-05-16 19:00:15 UTC
This is an autogenerated message for OBS integration:
This bug (866942) was mentioned in
https://build.opensuse.org/request/show/234356 Factory / net-snmp
Comment 21 Bernhard Wiedemann 2014-05-17 19:00:23 UTC
This is an autogenerated message for OBS integration:
This bug (866942) was mentioned in
https://build.opensuse.org/request/show/234469 Factory / net-snmp