i sent the following email nearly 48 hours ago to <email address hidden> and have received no response or even an acknowledgment, so i'm following up as a comment to this bug. (i also sent the bug to debian's <email address hidden>, but it never made it through to the archives, so i just added a comment to debian's bug #516801.)
i'll attach the below referenced patch to this bug (#331410).
SUMMARY
-------
snmpd in lucid (5.4.2.1~dfsg0ubuntu1-0ubuntu2) is vulnerable to
CVE-2008-6123 contrary to what its changelog says.
the attached patch was applied to the aforementioned version, compiled in a
pbuilder lucid chroot (on lenny), and the resulting packages (libsnmp-base,
libsnmp15, snmp, snmpd) were successfully tested on lucid-i386.
i also downloaded sid's 5.4.2.1~dfsg-5 source and it appears to be
vulnerable based on its snmplib/snmpUDPDomain.c and the lack of any
applicable patch(es) in debian/patches.
i recently upgraded a netbook from hardy to lucid by installing lucid to a
new hard drive and copying/merging the old configuration. after installing
snmpd and merging/copying the associated configuration files
(/etc/default/snmpd, /etc/snmp/snmpd.conf, /etc/hosts.allow,
& /etc/hosts.deny) it rejected connections from my cacti installation
residing on the network (the only IP allowed to connect to it based on the
tcp-wrapper's ACL). i also noticed that the syslog output was incorrect:
snmpd[$PID]: Connection from UDP: [$LOCAL_IP]->[$REMOTE_IP]:-13093 REFUSED
yes, the remote port is negative due to "%hd" in the packages'
snmplib/snmpUDPDomain.c, but is "%hu" upstream and fixed in the attached
patch.
PROBLEM
-------
snmpd improperly applies tcp-wrapper ACLs because it calls tcp-wrapper's
hosts_ctl (see netsnmp_agent_check_packet() in agent/snmp_agent.c) with it's
local IP address as the "client_addr" (instead of the snmp client's remote
IP address) because of incorrect string assembly (see netsnmp_udp_fmtaddr()
in snmplib/snmpUDPDomain.c).
SOLUTION
--------
searching for snmpd bugs related to tcp wrappers, i found debian bug
#516801. i downloaded and browsed the ubuntu source package, reviewed
agent/snmp_agent.c where tcp-wrappers' hosts_ctl() is called, backtracked
to snmplib/snmpUDPDomain.c where the string is constructed that
snmp_agent.c deconstructs for hosts_ctl(), and verified that upstream's
CVE-2008-6123 patch for v5.4 is still applicable (though compensating for
"%hd" in debian/ubuntu source).
i added the patch to the package using quilt, rebuilt the package,
installed it, and it works correctly:
snmpd[$PID]: Connection from UDP: [$REMOTE_IP]:53735->[$LOCAL_IP]
i sent the following email nearly 48 hours ago to <email address hidden> and have received no response or even an acknowledgment, so i'm following up as a comment to this bug. (i also sent the bug to debian's <email address hidden>, but it never made it through to the archives, so i just added a comment to debian's bug #516801.)
i'll attach the below referenced patch to this bug (#331410).
SUMMARY
-------
snmpd in lucid (5.4.2. 1~dfsg0ubuntu1- 0ubuntu2) is vulnerable to
CVE-2008-6123 contrary to what its changelog says.
the attached patch was applied to the aforementioned version, compiled in a
pbuilder lucid chroot (on lenny), and the resulting packages (libsnmp-base,
libsnmp15, snmp, snmpd) were successfully tested on lucid-i386.
i also downloaded sid's 5.4.2.1~dfsg-5 source and it appears to be snmpUDPDomain. c and the lack of any
vulnerable based on its snmplib/
applicable patch(es) in debian/patches.
REFERENCES
----------
http:// bugs.debian. org/cgi- bin/bugreport. cgi?bug= 516801 cve.mitre. org/cgi- bin/cvename. cgi?name= CVE-2008- 6123 net-snmp. svn.sourceforge .net/viewvc/ net-snmp? view=rev& revision= 17367 net-snmp. svn.sourceforge .net/viewvc/ net-snmp/ branches/ V5-4-patches/ net-snmp/ snmplib/ snmpUDPDomain. c?r1=17367& r2=17366& pathrev= 17367
http://
http://
http://
BACKGROUND
----------
i recently upgraded a netbook from hardy to lucid by installing lucid to a snmpd, /etc/snmp/ snmpd.conf, /etc/hosts.allow,
new hard drive and copying/merging the old configuration. after installing
snmpd and merging/copying the associated configuration files
(/etc/default/
& /etc/hosts.deny) it rejected connections from my cacti installation
residing on the network (the only IP allowed to connect to it based on the
tcp-wrapper's ACL). i also noticed that the syslog output was incorrect:
snmpd[$PID]: Connection from UDP: [$LOCAL_ IP]->[$ REMOTE_ IP]:-13093 REFUSED
yes, the remote port is negative due to "%hd" in the packages' snmpUDPDomain. c, but is "%hu" upstream and fixed in the attached
snmplib/
patch.
PROBLEM
-------
snmpd improperly applies tcp-wrapper ACLs because it calls tcp-wrapper's agent_check_ packet( ) in agent/snmp_agent.c) with it's udp_fmtaddr( ) snmpUDPDomain. c).
hosts_ctl (see netsnmp_
local IP address as the "client_addr" (instead of the snmp client's remote
IP address) because of incorrect string assembly (see netsnmp_
in snmplib/
SOLUTION
--------
searching for snmpd bugs related to tcp wrappers, i found debian bug snmpUDPDomain. c where the string is constructed that
#516801. i downloaded and browsed the ubuntu source package, reviewed
agent/snmp_agent.c where tcp-wrappers' hosts_ctl() is called, backtracked
to snmplib/
snmp_agent.c deconstructs for hosts_ctl(), and verified that upstream's
CVE-2008-6123 patch for v5.4 is still applicable (though compensating for
"%hd" in debian/ubuntu source).
i added the patch to the package using quilt, rebuilt the package,
installed it, and it works correctly:
snmpd[$PID]: Connection from UDP: [$REMOTE_ IP]:53735- >[$LOCAL_ IP]
thanks for providing the net-snmp packages!