Headline
CVE-2022-44792: NULL Pointer Exception when handling ipDefaultTTL · Issue #474 · net-snmp/net-snmp
handle_ipDefaultTTL in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.8 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker (who has write access) to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.
handle_ipDefaultTTL() in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP from 5.8 to latest(5.9.3) version has a NULL Pointer Exception bug that can be used by an unauthenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. The PoC is here.
After sending an SNMPSET packet with a varlist [1.3.6.1.2.1.4.2.0, NULL], snmpd deamon handles the packet with handle_ipDefaultTTL(), in which requests->requestvb->val.integer reference the val pointer that is NULL. Then snmpd deamon crashes due to segmentation fault.
To fix this vulnerability, some pre-reference check should be perfrom like if(!requests->requestvb->val) {return SNMP_ERR_GENERR;}.
Hi, menglong2234, and thank you for this bug report. However, rather than saying that it is an unauthenticated attacker, it is more appropriate to say that it is someone with write credentials - your proof of concept does nothing unless the “private” community is configured for write access.
If there is a device with the “private” community configured for write access by default, it is appropriate to file a bug report with that device vendor - that is a severe configuration error.
I think you’re right, describing it as unauthenticated attacker isn’t accurate. For version 2c, which does not lack security validation, you need to “guess” the field to be able to do that. XD
If you ask me, SNMPv1 and SNMPv2c should not be used except for experimentation in isolated networks, even for read-only use. When SET is involved, it is even more important to use the strong authentication available in SNMPv3.
You are right, only SNMPv3 should be used in real production environments. However the fact is there are a large number of devices deployed with v1 and v2c, and my team still used v2c directly on devices with public IPs few years ago for configuration convenience. It really shouldn’t continue to be done that way haha.
Related news
An update for net-snmp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-44792: A vulnerability was found in Net-SNMP. This issue occurs because the handle_ipDefaultTTL function in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP has a NULL Pointer Exception flaw that allows a remote attacker (who has to write access) to cause the instance to crash via a crafted UDP packet, resulting in a denial of service. * CVE-2022-44793: ...
An update for net-snmp is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-44792: A vulnerability was found in Net-SNMP. This issue occurs because the handle_ipDefaultTTL function in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP has a NULL Pointer Exception flaw that allows a remote attacker (who has to write access) to cause the instance to crash via a crafted UDP packet, resulting in a denial of service. * CVE-2022-44793: ...
Ubuntu Security Notice 5795-2 - USN-5795-1 and 5543-1 fixed several vulnerabilities in Net-SNMP. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. It was discovered that Net-SNMP incorrectly handled certain requests. A remote attacker could possibly use these issues to cause Net-SNMP to crash, resulting in a denial of service.
Ubuntu Security Notice 5795-1 - It was discovered that Net-SNMP incorrectly handled certain requests. A remote attacker could possibly use these issues to cause Net-SNMP to crash, resulting in a denial of service.