USN-685-1: Net-SNMP vulnerabilities

3 December 2008

net-snmp vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 8.10
  • Ubuntu 8.04 LTS
  • Ubuntu 7.10
  • Ubuntu 6.06 LTS

Software Description

  • net-snmp

Details

Wes Hardaker discovered that the SNMP service did not correctly validate HMAC authentication requests. An unauthenticated remote attacker could send specially crafted SNMPv3 traffic with a valid username and gain access to the user’s views without a valid authentication passphrase. (CVE-2008-0960)

John Kortink discovered that the Net-SNMP Perl module did not correctly check the size of returned values. If a user or automated system were tricked into querying a malicious SNMP server, the application using the Perl module could be made to crash, leading to a denial of service. This did not affect Ubuntu 8.10. (CVE-2008-2292)

It was discovered that the SNMP service did not correctly handle large GETBULK requests. If an unauthenticated remote attacker sent a specially crafted request, the SNMP service could be made to crash, leading to a denial of service. (CVE-2008-4309)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 8.10
libsnmp15 - 5.4.1~dfsg-7.1ubuntu6.1
Ubuntu 8.04 LTS
libsnmp-perl - 5.4.1~dfsg-4ubuntu4.2
libsnmp15 - 5.4.1~dfsg-4ubuntu4.2
Ubuntu 7.10
libsnmp-perl - 5.3.1-6ubuntu2.2
libsnmp10 - 5.3.1-6ubuntu2.2
Ubuntu 6.06 LTS
libsnmp-perl - 5.2.1.2-4ubuntu2.3
libsnmp9 - 5.2.1.2-4ubuntu2.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the necessary changes.

References