USN-685-1: Net-SNMP vulnerabilities
3 December 2008
net-snmp vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 8.10
- Ubuntu 8.04 LTS
- Ubuntu 7.10
- Ubuntu 6.06 LTS
Software Description
- net-snmp
Details
Wes Hardaker discovered that the SNMP service did not correctly validate HMAC authentication requests. An unauthenticated remote attacker could send specially crafted SNMPv3 traffic with a valid username and gain access to the user’s views without a valid authentication passphrase. (CVE-2008-0960)
John Kortink discovered that the Net-SNMP Perl module did not correctly check the size of returned values. If a user or automated system were tricked into querying a malicious SNMP server, the application using the Perl module could be made to crash, leading to a denial of service. This did not affect Ubuntu 8.10. (CVE-2008-2292)
It was discovered that the SNMP service did not correctly handle large GETBULK requests. If an unauthenticated remote attacker sent a specially crafted request, the SNMP service could be made to crash, leading to a denial of service. (CVE-2008-4309)
Update instructions
The problem can be corrected by updating your system to the following package versions:
- Ubuntu 8.10
- libsnmp15 - 5.4.1~dfsg-7.1ubuntu6.1
- Ubuntu 8.04 LTS
- libsnmp-perl - 5.4.1~dfsg-4ubuntu4.2
- libsnmp15 - 5.4.1~dfsg-4ubuntu4.2
- Ubuntu 7.10
- libsnmp-perl - 5.3.1-6ubuntu2.2
- libsnmp10 - 5.3.1-6ubuntu2.2
- Ubuntu 6.06 LTS
- libsnmp-perl - 5.2.1.2-4ubuntu2.3
- libsnmp9 - 5.2.1.2-4ubuntu2.3
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system upgrade is sufficient to effect the necessary changes.