Gentoo Logo

Net-SNMP: Denial of Service

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200901-15 / net-snmp
Release Date January 21, 2009
Latest Revision January 21, 2009: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-analyzer/net-snmp < 5.4.2.1 >= 5.4.2.1 All supported architectures

Related bugreports: #245306

Synopsis

A vulnerability in Net-SNMP could lead to a Denial of Service.

2.  Impact Information

Background

Net-SNMP is a collection of tools for generating and retrieving SNMP data.

Description

Oscar Mira-Sanchez reported an integer overflow in the netsnmp_create_subtree_cache() function in agent/snmp_agent.c when processing GETBULK requests.

Impact

A remote attacker could send a specially crafted request to crash the SNMP server. NOTE: The attacker needs to know the community string to exploit this vulnerability.

3.  Resolution Information

Workaround

Restrict access to trusted entities only.

Resolution

All Net-SNMP users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/net-snmp-5.4.2.1"

4.  References

Print

Page updated January 21, 2009

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.