CVE-2008-6123: not fixed in latest security releases

Dear Colleagues,

I'm preparing some debdiffs for this Issue for all nominated releases.

Regards,

\sh

Thanks for the debdiffs. The dapper debdiff is incorrect and needs several other commits so *data will actually contain what is needed. Further, I tried to reproduce based on the Gentoo bug, but was unable to so far. Stephan, do you have a working reproducer?

The CVE-2008-6123 security issue was introduced in the following commit:
http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&revision=16654

So, the issue was introduced in 5.2.5, 5.3.2 and 5.4.2.

None of our releases are impacted by this.

dapper: 5.2.1.2-4ubuntu2.3
gutsy: 5.3.1-6ubuntu2.2
hardy: 5.4.1~dfsg-4ubuntu4.2,
intrepid: 5.4.1~dfsg-7.1ubuntu6.1
jaunty: 5.4.1~dfsg-12ubuntu1

Closing as invalid. Feel free to open again if this is incorrect.

I changed the status to confirmed. I have this bug on my machine.
Apport bug report:

ProblemType: Bug
Architecture: amd64
Date: Tue Jun 1 11:32:16 2010
Dependencies:
 adduser 3.112ubuntu1
 base-files 5.0.0ubuntu20
 base-passwd 3.5.22
 coreutils 7.4-2ubuntu2
 debconf 1.5.28ubuntu4
 debconf-i18n 1.5.28ubuntu4
 debianutils 3.2.2
 dpkg 1.15.5.6ubuntu4
 findutils 4.4.2-1ubuntu1
 gawk 1:3.1.6.dfsg-4build1
 gcc-4.4-base 4.4.3-4ubuntu5
 libacl1 2.2.49-2
 libattr1 1:2.4.44-1
 libc-bin 2.11.1-0ubuntu7.1
 libc6 2.11.1-0ubuntu7.1
 libdb4.8 4.8.24-1ubuntu1
 libgcc1 1:4.4.3-4ubuntu5
 liblocale-gettext-perl 1.05-6
 libncurses5 5.7+20090803-2ubuntu3
 libpam-modules 1.1.1-2ubuntu2
 libpam0g 1.1.1-2ubuntu2
 libperl5.10 5.10.1-8ubuntu2
 libselinux1 2.0.89-4
 libsensors4 1:3.1.2-2
 libsnmp-base 5.4.2.1~dfsg0ubuntu1-0ubuntu2
 libsnmp15 5.4.2.1~dfsg0ubuntu1-0ubuntu2
 libssl0.9.8 0.9.8k-7ubuntu8
 libstdc++6 4.4.3-4ubuntu5
 libtext-charwidth-perl 0.04-6
 libtext-iconv-perl 1.7-2
 libtext-wrapi18n-perl 0.06-7
 libwrap0 7.6.q-18
 lsb-base 4.0-0ubuntu8
 lzma 4.43-14ubuntu2
 make 3.81-7ubuntu1
 makedev 2.3.1-89ubuntu1
 ncurses-bin 5.7+20090803-2ubuntu3
 passwd 1:4.1.4.2-1ubuntu2
 perl-base 5.10.1-8ubuntu2
 sed 4.2.1-6
 sensible-utils 0.0.1ubuntu3
 tzdata 2010i-1
 wget 1.12-1.1ubuntu2
 zlib1g 1:1.2.3.3.dfsg-15ubuntu1
DistroRelease: Ubuntu 10.04
InstallationMedia: Ubuntu-Server 10.04 "Lucid Lynx" - Beta amd64 (20100406.1)
Package: snmpd 5.4.2.1~dfsg0ubuntu1-0ubuntu2
PackageArchitecture: amd64
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.32-22.33-server 2.6.32.11+drm33.2
SourcePackage: net-snmp
Tags: lucid
Uname: Linux 2.6.32-22-server x86_64

i sent the following email nearly 48 hours ago to <email address hidden> and have received no response or even an acknowledgment, so i'm following up as a comment to this bug. (i also sent the bug to debian's <email address hidden>, but it never made it through to the archives, so i just added a comment to debian's bug #516801.)

i'll attach the below referenced patch to this bug (#331410).

SUMMARY
-------

snmpd in lucid (5.4.2.1~dfsg0ubuntu1-0ubuntu2) is vulnerable to
CVE-2008-6123 contrary to what its changelog says.

the attached patch was applied to the aforementioned version, compiled in a
pbuilder lucid chroot (on lenny), and the resulting packages (libsnmp-base,
libsnmp15, snmp, snmpd) were successfully tested on lucid-i386.

i also downloaded sid's 5.4.2.1~dfsg-5 source and it appears to be
vulnerable based on its snmplib/snmpUDPDomain.c and the lack of any
applicable patch(es) in debian/patches.

REFERENCES
----------

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6123
http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&revision=17367
http://net-snmp.svn.sourceforge.net/viewvc/net-snmp/branches/V5-4-patches/net-snmp/snmplib/snmpUDPDomain.c?r1=17367&r2=17366&pathrev=17367

BACKGROUND
----------

i recently upgraded a netbook from hardy to lucid by installing lucid to a
new hard drive and copying/merging the old configuration. after installing
snmpd and merging/copying the associated configuration files
(/etc/default/snmpd, /etc/snmp/snmpd.conf, /etc/hosts.allow,
& /etc/hosts.deny) it rejected connections from my cacti installation
residing on the network (the only IP allowed to connect to it based on the
tcp-wrapper's ACL). i also noticed that the syslog output was incorrect:

snmpd[$PID]: Connection from UDP: [$LOCAL_IP]->[$REMOTE_IP]:-13093 REFUSED

yes, the remote port is negative due to "%hd" in the packages'
snmplib/snmpUDPDomain.c, but is "%hu" upstream and fixed in the attached
patch.

PROBLEM
-------

snmpd improperly applies tcp-wrapper ACLs because it calls tcp-wrapper's
hosts_ctl (see netsnmp_agent_check_packet() in agent/snmp_agent.c) with it's
local IP address as the "client_addr" (instead of the snmp client's remote
IP address) because of incorrect string assembly (see netsnmp_udp_fmtaddr()
in snmplib/snmpUDPDomain.c).

SOLUTION
--------

searching for snmpd bugs related to tcp wrappers, i found debian bug
#516801. i downloaded and browsed the ubuntu source package, reviewed
agent/snmp_agent.c where tcp-wrappers' hosts_ctl() is called, backtracked
to snmplib/snmpUDPDomain.c where the string is constructed that
snmp_agent.c deconstructs for hosts_ctl(), and verified that upstream's
CVE-2008-6123 patch for v5.4 is still applicable (though compensating for
"%hd" in debian/ubuntu source).

i added the patch to the package using quilt, rebuilt the package,
installed it, and it works correctly:

snmpd[$PID]: Connection from UDP: [$REMOTE_IP]:53735->[$LOCAL_IP]

thanks for providing the net-snmp packages!

Hi! Thanks for the report. It looks like this wasn't triaged correctly when we first looked at it. We'll get this fixed and published. Thanks for the patches and for testing it.

Ah-ha, I see the problem now. This vulnerability was introduced after all the versions of net-snmp that were in the archive at the time the CVE was published. At some point Debian packaged the 5.4.x series from a point that did not include the fix, which is why only Lucid and later have the problem.

https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-June/001098.html