RHSA-2013:0124

48938

59974

http://support.citrix.com/article/CTX139049

GLSA-201409-02

[oss-security] 20120426 CVE Request -- net-snmp: Array index error, leading to out-of heap-based buffer read (snmpd crash)

[oss-security] 20120426 Re: CVE Request -- net-snmp: Array index error, leading to out-of heap-based buffer read (snmpd crash)

53255

53258

1026984

https://bugzilla.redhat.com/show_bug.cgi?id=815813

netsnmp-snmpget-dos(75169)

The remote Solaris system is missing necessary patches to address security updates :

  - The perl_trapd_handler function in     perl/TrapReceiver/TrapReceiver.xs in Net-SNMP 5.7.3.pre3     and earlier, when using certain Perl versions, allows     remote attackers to cause a denial of service (snmptrapd     crash) via an empty community string in an SNMP trap,     which triggers a NULL pointer dereference within the     newSVpv function in Perl. (CVE-2014-2285)

  - snmplib/mib.c in net-snmp 5.7.0 and earlier, when the

    -OQ option is used, allows remote attackers to cause a     denial of service (snmptrapd crash) via a crafted SNMP     trap message, which triggers a conversion to the     variable type designated in the MIB file, as     demonstrated by a NULL type in an ifMtu trap message.
    (CVE-2014-3565)

Array index error in the handle_nsExtendOutput2Table function in agent/mibgroup/agent/extend.c in Net-SNMP 5.7.1 allows remote authenticated users to cause a denial of service (out-of-bounds read and snmpd crash) via an SNMP GET request for an entry not in the extension table. (CVE-2012-2141)

The remote host is affected by the vulnerability described in GLSA-201409-02 (Net-SNMP: Denial of Service)

    Multiple vulnerabilities have been discovered in Net-SNMP. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could create a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

SNMP GET request involving on a non-existent extension table entry could crash snmpd

The remote Citrix NetScaler version is affected by multiple vulnerabilities :

  - A denial of service vulnerability in the VM Virtual     Machine Daemon. Please note that this particular     vulnerability does not apply to Citrix NetScaler 10.1.
    (CVE-2013-6938)

  - A denial of service vulnerability in the Application     Delivery Controller RADIUS authentication.
    (CVE-2013-6939)

  - An authenticated denial of service in the SNMP     daemon. (CVE-2012-2142)

  - An unspecified authentication disclosure in the     Application Delivery Controller. (CVE-2013-6940)

  - An unspecified shell breakout in the Application     Delivery Controller firmware. (CVE-2013-6941)

  - An unspecified LDAP username injection vulnerability     in the Application Delivery Controller.
    (CVE-2013-6943)

  - A cross-site scripting vulnerability in the AAA TM     vServer user interface. (CVE-2013-6944)

An array index error, leading to an out-of-bounds buffer read flaw, was found in the way the net-snmp agent looked up entries in the extension table. A remote attacker with read privileges to a Management Information Base (MIB) subtree handled by the 'extend' directive (in '/etc/snmp/snmpd.conf') could use this flaw to crash snmpd via a crafted SNMP GET request. (CVE-2012-2141)

From Red Hat Security Advisory 2013:0124 :

Updated net-snmp packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

These packages provide various libraries and tools for the Simple Network Management Protocol (SNMP).

An out-of-bounds buffer read flaw was found in the net-snmp agent. A remote attacker with read privileges to a Management Information Base (MIB) subtree handled by the 'extend' directive (in '/etc/snmp/snmpd.conf') could use this flaw to crash snmpd via a crafted SNMP GET request. (CVE-2012-2141)

Bug fixes :

* Devices that used certain file systems were not reported in the 'HOST-RESOURCES-MIB::hrStorageTable' table. As a result, the snmpd daemon did not recognize devices using tmpfs, ReiserFS, and Oracle Cluster File System (OCFS2) file systems. This update recognizes these devices and reports them in the 'HOST-RESOURCES-MIB::hrStorageTable' table. (BZ#754652, BZ#755958, BZ#822061)

* The snmptrapd (8) man page did not correctly describe how to load multiple configuration files using the '-c' option. This update describes correctly that multiple configuration files must be separated by a comma. (BZ#760001)

* Integers truncated from 64 to 32-bit were not correctly evaluated.
As a consequence, the snmpd daemon could enter an endless loop when encoding the truncated integers to network format. This update modifies the underlying code so that snmpd correctly checks truncated 64-bit integers. Now, snmpd avoids an endless loop. (BZ#783892)

* snmpd did not correctly check for interrupted system calls when enumerating existing IPv6 network prefixes during startup. As a consequence, snmpd could prematurely exit when receiving a signal during this enumeration. This update checks the network prefix enumeration code for interrupted system calls. Now, snmpd no longer terminates when a signal is received. (BZ#799699)

* snmpd used the wrong length of COUNTER64 values in the AgentX protocol. As a consequence, snmpd could not decode two consecutive COUNTER64 values in one AgentX packet. This update uses the correct COUNTER64 size and can process two or mode COUNTER64 values in AgentX communication. (BZ#803585)

* snmpd ignored the '-e' parameter of the 'trapsess' option in the snmpd configuration file. As a result, outgoing traps were incorrectly sent with the default EngineID of snmpd when configuring 'trapsess' with an explicit EngineID. This update modifies the underlying code to send outgoing traps using the EngineID as specified in the 'trapsess
-e' parameter in the configuration file. (BZ#805689)

* snmpd did not correctly encode negative Request-IDs in outgoing requests, for example during trap operations. As a consequence, a 32-bit value could be encoded in 5 bytes instead of 4, and the outgoing requests were refused by certain implementations of the SNMP protocol as invalid. With this update, a Request-ID can no longer become negative and is always encoded in 4 bytes. (BZ#818259)

* snmpd ignored the port number of the 'clientaddr' option when specifying the source address of outgoing SNMP requests. As a consequence, the system assigned a random address. This update allows to specify both the port number and the source IP address in the 'clientaddr' option. Now, administrators can increase security with firewall rules and Security-Enhanced Linux (SELinux) policies by configuring a specific source port of outgoing traps and other requests. (BZ#828691)

* snmpd did not correctly process responses to internal queries when initializing monitoring enabled by the 'monitor' option in the '/etc/snmp/snmpd.conf' configuration file. As a consequence, snmpd was not fully initialized and the error message 'failed to run mteTrigger query' appeared in the system log 30 seconds after the snmpd startup.
This update explicitly checks for responses to internal monitoring queries. (BZ#830042)

Users of net-snmp should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the snmpd and snmptrapd daemons will be restarted automatically.

From Red Hat Security Advisory 2012:0876 :

Updated net-snmp packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser.

An array index error, leading to an out-of-bounds buffer read flaw, was found in the way the net-snmp agent looked up entries in the extension table. A remote attacker with read privileges to a Management Information Base (MIB) subtree handled by the 'extend' directive (in '/etc/snmp/snmpd.conf') could use this flaw to crash snmpd via a crafted SNMP GET request. (CVE-2012-2141)

These updated net-snmp packages also include numerous bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.3 Technical Notes for information on the most significant of these changes.

All users of net-snmp are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.
After installing the update, the snmpd and snmptrapd daemons will be restarted automatically.

A vulnerability has been discovered and corrected in net-snmp :

An array index error, leading to out-of heap-based buffer read flaw was found in the way net-snmp agent performed entries lookup in the extension table. When certain MIB subtree was handled by the extend directive, a remote attacker having read privilege to the subtree could use this flaw to cause a denial of service (snmpd crash) via SNMP GET request involving a non-existent extension table entry (CVE-2012-2141).

The updated packages have been patched to correct this issue.

This update to net-snmp resolves the following issues :

  - Specially crafted SNMP GET requests could cause a denial     of service (application crash) via a heap-based     out-out-bounds read flaw which could be exploited     remotely. (CVE-2012-2141)

  - The snmpd agent should read shared memory information     from /proc/meminfo when running on Linux Kernel 2.6 or     newer. (bnc#762887)

  - The snmpd agent could crash when an AgentX sub-agent     disconnects in the middle of a request. (bnc#670789)

  - After rotating the net-snmp log file, use 'try-restart'     to restart the daemon. Reloading with a SIGHUP signal     may trigger crashes when dynamic modules (dlmod) are in     use. (bnc#762433)

An out-of-bounds buffer read flaw was found in the net-snmp agent. A remote attacker with read privileges to a Management Information Base (MIB) subtree handled by the 'extend' directive (in '/etc/snmp/snmpd.conf') could use this flaw to crash snmpd via a crafted SNMP GET request. (CVE-2012-2141)

Bug fixes :

  - Devices that used certain file systems were not reported     in the 'HOST- RESOURCES-MIB::hrStorageTable' table. As a     result, the snmpd daemon did not recognize devices using     tmpfs, ReiserFS, and Oracle Cluster File System (OCFS2)     file systems. This update recognizes these devices and     reports them in the 'HOST-RESOURCES-MIB::hrStorageTable'     table.

  - The snmptrapd (8) man page did not correctly describe     how to load multiple configuration files using the '-c'     option. This update describes correctly that multiple     configuration files must be separated by a comma.

  - Integers truncated from 64 to 32-bit were not correctly     evaluated. As a consequence, the snmpd daemon could     enter an endless loop when encoding the truncated     integers to network format. This update modifies the     underlying code so that snmpd correctly checks truncated     64-bit integers. Now, snmpd avoids an endless loop.

  - snmpd did not correctly check for interrupted system     calls when enumerating existing IPv6 network prefixes     during startup. As a consequence, snmpd could     prematurely exit when receiving a signal during this     enumeration. This update checks the network prefix     enumeration code for interrupted system calls. Now,     snmpd no longer terminates when a signal is received.

  - snmpd used the wrong length of COUNTER64 values in the     AgentX protocol. As a consequence, snmpd could not     decode two consecutive COUNTER64 values in one AgentX     packet. This update uses the correct COUNTER64 size and     can process two or mode COUNTER64 values in AgentX     communication.

  - snmpd ignored the '-e' parameter of the 'trapsess'     option in the snmpd configuration file. As a result,     outgoing traps were incorrectly sent with the default     EngineID of snmpd when configuring 'trapsess' with an     explicit EngineID. This update modifies the underlying     code to send outgoing traps using the EngineID as     specified in the 'trapsess -e' parameter in the     configuration file.

  - snmpd did not correctly encode negative Request-IDs in     outgoing requests, for example during trap operations.
    As a consequence, a 32-bit value could be encoded in 5     bytes instead of 4, and the outgoing requests were     refused by certain implementations of the SNMP protocol     as invalid. With this update, a Request-ID can no longer     become negative and is always encoded in 4 bytes.

  - snmpd ignored the port number of the 'clientaddr' option     when specifying the source address of outgoing SNMP     requests. As a consequence, the system assigned a random     address. This update allows to specify both the port     number and the source IP address in the 'clientaddr'     option. Now, administrators can increase security with     firewall rules and Security-Enhanced Linux (SELinux)     policies by configuring a specific source port of     outgoing traps and other requests.

  - snmpd did not correctly process responses to internal     queries when initializing monitoring enabled by the     'monitor' option in the '/etc/snmp/snmpd.conf'     configuration file. As a consequence, snmpd was not     fully initialized and the error message 'failed to run     mteTrigger query' appeared in the system log 30 seconds     after the snmpd startup. This update explicitly checks     for responses to internal monitoring queries.

After installing the update, the snmpd and snmptrapd daemons will be restarted automatically.

Updated net-snmp packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

These packages provide various libraries and tools for the Simple Network Management Protocol (SNMP).

An out-of-bounds buffer read flaw was found in the net-snmp agent. A remote attacker with read privileges to a Management Information Base (MIB) subtree handled by the 'extend' directive (in '/etc/snmp/snmpd.conf') could use this flaw to crash snmpd via a crafted SNMP GET request. (CVE-2012-2141)

Bug fixes :

* Devices that used certain file systems were not reported in the 'HOST-RESOURCES-MIB::hrStorageTable' table. As a result, the snmpd daemon did not recognize devices using tmpfs, ReiserFS, and Oracle Cluster File System (OCFS2) file systems. This update recognizes these devices and reports them in the 'HOST-RESOURCES-MIB::hrStorageTable' table. (BZ#754652, BZ#755958, BZ#822061)

* The snmptrapd (8) man page did not correctly describe how to load multiple configuration files using the '-c' option. This update describes correctly that multiple configuration files must be separated by a comma. (BZ#760001)

* Integers truncated from 64 to 32-bit were not correctly evaluated.
As a consequence, the snmpd daemon could enter an endless loop when encoding the truncated integers to network format. This update modifies the underlying code so that snmpd correctly checks truncated 64-bit integers. Now, snmpd avoids an endless loop. (BZ#783892)

* snmpd did not correctly check for interrupted system calls when enumerating existing IPv6 network prefixes during startup. As a consequence, snmpd could prematurely exit when receiving a signal during this enumeration. This update checks the network prefix enumeration code for interrupted system calls. Now, snmpd no longer terminates when a signal is received. (BZ#799699)

* snmpd used the wrong length of COUNTER64 values in the AgentX protocol. As a consequence, snmpd could not decode two consecutive COUNTER64 values in one AgentX packet. This update uses the correct COUNTER64 size and can process two or mode COUNTER64 values in AgentX communication. (BZ#803585)

* snmpd ignored the '-e' parameter of the 'trapsess' option in the snmpd configuration file. As a result, outgoing traps were incorrectly sent with the default EngineID of snmpd when configuring 'trapsess' with an explicit EngineID. This update modifies the underlying code to send outgoing traps using the EngineID as specified in the 'trapsess
-e' parameter in the configuration file. (BZ#805689)

* snmpd did not correctly encode negative Request-IDs in outgoing requests, for example during trap operations. As a consequence, a 32-bit value could be encoded in 5 bytes instead of 4, and the outgoing requests were refused by certain implementations of the SNMP protocol as invalid. With this update, a Request-ID can no longer become negative and is always encoded in 4 bytes. (BZ#818259)

* snmpd ignored the port number of the 'clientaddr' option when specifying the source address of outgoing SNMP requests. As a consequence, the system assigned a random address. This update allows to specify both the port number and the source IP address in the 'clientaddr' option. Now, administrators can increase security with firewall rules and Security-Enhanced Linux (SELinux) policies by configuring a specific source port of outgoing traps and other requests. (BZ#828691)

* snmpd did not correctly process responses to internal queries when initializing monitoring enabled by the 'monitor' option in the '/etc/snmp/snmpd.conf' configuration file. As a consequence, snmpd was not fully initialized and the error message 'failed to run mteTrigger query' appeared in the system log 30 seconds after the snmpd startup.
This update explicitly checks for responses to internal monitoring queries. (BZ#830042)

Users of net-snmp should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the snmpd and snmptrapd daemons will be restarted automatically.

The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser.

An array index error, leading to an out-of-bounds buffer read flaw, was found in the way the net-snmp agent looked up entries in the extension table. A remote attacker with read privileges to a Management Information Base (MIB) subtree handled by the 'extend' directive (in '/etc/snmp/snmpd.conf') could use this flaw to crash snmpd via a crafted SNMP GET request. (CVE-2012-2141)

These updated net-snmp packages also include numerous bug fixes.

All users of net-snmp are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.
After installing the update, the snmpd and snmptrapd daemons will be restarted automatically.

This update to net-snmp resolves the following issues :

  - Specially crafted SNMP GET requests could cause a denial     of service (application crash) via a heap-based     out-out-bounds read flaw which could be exploited     remotely. (CVE-2012-2141)

  - After rotating the net-snmp log file, use 'try-restart'     to restart the daemon. Reloading with a SIGHUP signal     may trigger crashes when dynamic modules (dlmod) are in     use. (bnc#762433)

Updated net-snmp packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser.

An array index error, leading to an out-of-bounds buffer read flaw, was found in the way the net-snmp agent looked up entries in the extension table. A remote attacker with read privileges to a Management Information Base (MIB) subtree handled by the 'extend' directive (in '/etc/snmp/snmpd.conf') could use this flaw to crash snmpd via a crafted SNMP GET request. (CVE-2012-2141)

These updated net-snmp packages also include numerous bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.3 Technical Notes for information on the most significant of these changes.

All users of net-snmp are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.
After installing the update, the snmpd and snmptrapd daemons will be restarted automatically.

It was discovered that Net-SNMP incorrectly performed entry lookups in the extension table. A remote attacker could send a specially crafted request and cause the SNMP server to crash, leading to a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Red Hat Security Response Team reports :

An array index error, leading to out-of heap-based buffer read flaw was found in the way the net-snmp agent performed lookups in the extension table. When certain MIB subtrees were handled by the extend directive, a remote attacker (having read privileges to the subntree) could use this flaw to cause a denial of service condition via an SNMP GET request involving a non-existent extension table entry.

ID	Name	Product	Family	Severity
80708	Oracle Solaris Third-Party Patch Update : net-snmp (cve_2012_2141_denial_of)	Nessus	Solaris Local Security Checks	medium
79605	F5 Networks BIG-IP : Net-SNMP vulnerability (K15883)	Nessus	F5 Networks Local Security Checks	low
77471	GLSA-201409-02 : Net-SNMP: Denial of Service	Nessus	Gentoo Local Security Checks	medium
74638	openSUSE Security Update : net-snmp (openSUSE-SU-2012:0659-1)	Nessus	SuSE Local Security Checks	low
73205	Citrix NetScaler Application Delivery Controller Multiple Vulnerabilities	Nessus	Misc.	critical
69704	Amazon Linux AMI : net-snmp (ALAS-2012-97)	Nessus	Amazon Linux Local Security Checks	low
68695	Oracle Linux 5 : net-snmp (ELSA-2013-0124)	Nessus	Oracle Linux Local Security Checks	low
68556	Oracle Linux 6 : net-snmp (ELSA-2012-0876)	Nessus	Oracle Linux Local Security Checks	low
66063	Mandriva Linux Security Advisory : net-snmp (MDVSA-2013:049)	Nessus	Mandriva Local Security Checks	low
64194	SuSE 11.1 Security Update : net-snmp (SAT Patch Number 6517)	Nessus	SuSE Local Security Checks	low
63600	Scientific Linux Security Update : net-snmp on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	low
63569	CentOS 5 : net-snmp (CESA-2013:0124)	Nessus	CentOS Local Security Checks	low
63407	RHEL 5 : net-snmp (RHSA-2013:0124)	Nessus	Red Hat Local Security Checks	low
61342	Scientific Linux Security Update : net-snmp on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	low
60060	SuSE 10 Security Update : net-snmp (ZYPP Patch Number 8153)	Nessus	SuSE Local Security Checks	low
59927	CentOS 6 : net-snmp (CESA-2012:0876)	Nessus	CentOS Local Security Checks	low
59653	Mandriva Linux Security Advisory : net-snmp (MDVSA-2012:099)	Nessus	Mandriva Local Security Checks	low
59592	RHEL 6 : net-snmp (RHSA-2012:0876)	Nessus	Red Hat Local Security Checks	low
59254	Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : net-snmp vulnerability (USN-1450-1)	Nessus	Ubuntu Local Security Checks	low
58889	FreeBSD : net-snmp -- Remote DoS (5d85976a-9011-11e1-b5e0-000c299b62e1)	Nessus	FreeBSD Local Security Checks	low

CVE-2012-2141

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins