[ GLSA 200901-15 ] Net-SNMP: Denial of Service

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200901-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Net-SNMP: Denial of Service
Date: January 21, 2009
Bugs: #245306
ID: 200901-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in Net-SNMP could lead to a Denial of Service.

Background
==========

Net-SNMP is a collection of tools for generating and retrieving SNMP
data.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-analyzer/net-snmp < 5.4.2.1 >= 5.4.2.1

Description
===========

Oscar Mira-Sanchez reported an integer overflow in the
netsnmp_create_subtree_cache() function in agent/snmp_agent.c when
processing GETBULK requests.

Impact
======

A remote attacker could send a specially crafted request to crash the
SNMP server. NOTE: The attacker needs to know the community string to
exploit this vulnerability.

Workaround
==========

Restrict access to trusted entities only.

Resolution
==========

All Net-SNMP users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/net-snmp-5.4.2.1"

References
==========

[ 1 ] CVE-2008-4309
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4309

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200901-15.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@xxxxxxxxxx or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



Attachment: signature.asc
Description: OpenPGP digital signature

Relevant Pages

  • [Full-Disclosure] Re: its all about timing
    ... >hunters, sure don't sound like they need some else telling them what ... I think it's because there are more "consumers" of vulnerability ... to remove those bugs from their vulnerable systems. ... responsible for the security of large, ...
    (Full-Disclosure)
  • [Full-disclosure] [ GLSA 200704-13 ] File: Denial of Service
    ... Bugs: #174217 ... Note that this vulnerability could be also triggered through ... Security is a primary focus of Gentoo Linux and ensuring the ...
    (Full-Disclosure)
  • [ GLSA 200704-13 ] File: Denial of Service
    ... Bugs: #174217 ... Note that this vulnerability could be also triggered through ... Security is a primary focus of Gentoo Linux and ensuring the ...
    (Bugtraq)
  • Re: starwreck
    ... crack attempts -- pull services are only vulnerable to attacks transmitted ... assuming it has bugs that open security flaws. ... automatic vulnerability -- there really do have bugs for there to be a ...
    (rec.music.filk)
  • iDEFENSE Security Advisory 10.02.2002: Net-SNMP DoS Vulnerability
    ... iDEFENSE Security Advisory 10.02.2002: Net-SNMP DoS Vulnerability ... The Net-SNMP package, formerly known as ucd-snmp, is a suite of tools ... The SNMP daemon included in the Net-SNMP package can be crashed if it ... Get paid for security research ...
    (Bugtraq)
Quantcast