Bug#1016139: For Review: Bug#1016139: (net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 CVE-2022-24806 CVE-2022-24805)

[Moritz Muehlenhoff]

On Wed, Aug 10, 2022 at 05:05:12PM +1000, Craig Small wrote:
> > Do you have capacity to prepare updates for bullseye?
> >
> Yes, see attached debdiff for review. It's just those two patches.

Looks good, thanks! Please upload to security-master.

Cheers,
Moritz

Bug#1016139: For Review: Bug#1016139: (net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 CVE-2022-24806 CVE-2022-24805)

[Craig Small]

On Sun, 7 Aug 2022 at 23:29, Salvatore Bonaccorso  wrote:

> Did you got confirmation from upstream back if those are the only two
> needed ones?
>
I got no message at all. However, these are the only two that mention the
people that found the bug and fixed it (two sets of people).


> Do you have capacity to prepare updates for bullseye?
>
Yes, see attached debdiff for review. It's just those two patches.

 - Craig
diff -Nru net-snmp-5.9+dfsg/debian/changelog net-snmp-5.9+dfsg/debian/changelog
--- net-snmp-5.9+dfsg/debian/changelog	2020-09-25 09:10:00.0 +1000
+++ net-snmp-5.9+dfsg/debian/changelog	2022-08-10 16:16:59.0 +1000
@@ -1,3 +1,12 @@
+net-snmp (5.9+dfsg-4+deb11u1) bullseye-security; urgency=high
+
+  * Backport upstream security patches from v5.9.3 Closes: #1016139
+  * snmpd_fix_bounds_checking: CVE-2022-24805, CVE-2022-24809
+  * snmpd_recover_set_status: CVE-2022-24806, CVE-2022-24807, CVE-2022-24808,
+CVE-2022-24810
+
+ -- Craig Small   Wed, 10 Aug 2022 16:16:59 +1000
+
 net-snmp (5.9+dfsg-3) unstable; urgency=medium
 
   * Source only upload - no changes Closes: #970798
diff -Nru net-snmp-5.9+dfsg/debian/patches/series net-snmp-5.9+dfsg/debian/patches/series
--- net-snmp-5.9+dfsg/debian/patches/series	2020-09-25 09:10:00.0 +1000
+++ net-snmp-5.9+dfsg/debian/patches/series	2022-08-10 16:16:59.0 +1000
@@ -37,3 +37,5 @@
 Link-libnetsnmptrapd-against-MYSQL_LIBS.patch
 pkgconfig_install_mode
 perl_makefile_man3pods
+snmpd_fix_bounds_checking
+snmpd_recover_set_status
diff -Nru net-snmp-5.9+dfsg/debian/patches/snmpd_fix_bounds_checking net-snmp-5.9+dfsg/debian/patches/snmpd_fix_bounds_checking
--- net-snmp-5.9+dfsg/debian/patches/snmpd_fix_bounds_checking	1970-01-01 10:00:00.0 +1000
+++ net-snmp-5.9+dfsg/debian/patches/snmpd_fix_bounds_checking	2022-08-10 16:16:59.0 +1000
@@ -0,0 +1,123 @@
+Description: snmpd: fix bounds checking in MIBS
+ Fix bounds checking in NET-SNMP-AGENT-MIB, NET-SNMP-VACM-MIB,
+ SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB
+
+ Reported by: Yu Zhang of VARAS@IIE, Nanyu Zhong of VARAS@IIE
+ Fixes by: Arista Networks
+
+ References: CVE-2022-24805, CVE-2022-24809 
+Author: Bill Fenner 
+Origin: upstream, https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937`
+Bug-Debian: https://bugs.debian.org/1016139
+Reviewed-by: Craig Small 
+Last-Update: 2022-08-10
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/agent/mibgroup/agent/nsLogging.c
 b/agent/mibgroup/agent/nsLogging.c
+@@ -147,6 +147,8 @@
+ continue;
+ logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
+ table_info  =netsnmp_extract_table_info(request);
++if (!table_info || !table_info->indexes)
++continue;
+ 
+ switch (table_info->colnum) {
+ case NSLOGGING_TYPE:
+@@ -201,6 +203,8 @@
+ }
+ logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
+ table_info  = netsnmp_extract_table_info(request);
++if (!table_info || !table_info->indexes)
++continue;
+ 
+ switch (table_info->colnum) {
+ case NSLOGGING_TYPE:
+@@ -394,6 +398,8 @@
+ continue;
+ logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
+ table_info  = netsnmp_extract_table_info(request);
++if (!table_info || !table_info->indexes)
++continue;
+ 
+ switch (table_info->colnum) {
+ case NSLOGGING_TYPE:
+--- a/agent/mibgroup/agent/nsVacmAccessTable.c
 b/agent/mibgroup/agent/nsVacmAccessTable.c
+@@ -170,9 +170,13 @@
+ entry = (struct vacm_accessEntry *)
+ netsnmp_extract_iterator_context(request);
+ table_info = netsnmp_extract_table_info(request);
++if (!table_info || !table_info->indexes)
++continue;
+ 
+ /* Extract the authType token from the list of indexes */
+ idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
++if (idx->val_len >= sizeof(atype))
++continue;
+ memset(atype, 0, sizeof(atype));
+ memcpy(atype, (char *)idx->val.string, idx->val_len);
+ viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);
+@@ -212,6 +216,8 @@
+ entry = (struct vacm_accessEntry *)
+ netsnmp_extract_iterator_context(request);
+ table_info = netsnmp_extract_table_info(request);
++if (!table_info || !table_info->indexes)
++continue;
+ ret = SNMP_ERR_NOERROR;
+ 
+ switch (table_info->colnum) {
+@@ -247,6 +253,8 @@
+  * Extract the authType token from the list of indexes
+  */
+   

Bug#1016139: (net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 CVE-2022-24806 CVE-2022-24805)

[Salvatore Bonaccorso]

Hi Craig,

On Fri, Jul 29, 2022 at 04:36:56PM +0200, Moritz Mühlenhoff wrote:
> Am Thu, Jul 28, 2022 at 09:25:44PM +1000 schrieb Craig Small:
> > I said:
> > 
> > > I had uploaded net-snmp 5.9.3 anyway but I'll add those CVEs to the
> > > changelog.
> > > I'm trying to find where they've made the changes to see if it is possible
> > > to get at least bullseye fixed.
> > >
> > I've had a look and believe these two commits are the fixes:
> > 
> > snmpd: fix bounds checking in NET-SNMP-AGENT-MIB, NET-SNMP-VACM-MIB,
> > SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB
> > https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937
> > 
> > snmpd: recover SET status from delegated request
> > https://github.com/net-snmp/net-snmp/commit/9a0cd7c00947d5e1c6ceb54558d454f87c3b8341
> > 
> > Both sets of commits look pretty clear and simple to implement. I've asked
> > upstream to confirm these are the only two patches.

Did you got confirmation from upstream back if those are the only two
needed ones?

Do you have capacity to prepare updates for bullseye?

Regards,
Salvatore

Bug#1016139: (net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 CVE-2022-24806 CVE-2022-24805)

[Moritz Mühlenhoff]

Am Thu, Jul 28, 2022 at 09:25:44PM +1000 schrieb Craig Small:
> I said:
> 
> > I had uploaded net-snmp 5.9.3 anyway but I'll add those CVEs to the
> > changelog.
> > I'm trying to find where they've made the changes to see if it is possible
> > to get at least bullseye fixed.
> >
> I've had a look and believe these two commits are the fixes:
> 
> snmpd: fix bounds checking in NET-SNMP-AGENT-MIB, NET-SNMP-VACM-MIB,
> SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB
> https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937
> 
> snmpd: recover SET status from delegated request
> https://github.com/net-snmp/net-snmp/commit/9a0cd7c00947d5e1c6ceb54558d454f87c3b8341
> 
> Both sets of commits look pretty clear and simple to implement. I've asked
> upstream to confirm these are the only two patches.

Ack, thanks!

Cheers,
Moritz

Bug#1016139: (net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 CVE-2022-24806 CVE-2022-24805)

[Craig Small]

I said:

> I had uploaded net-snmp 5.9.3 anyway but I'll add those CVEs to the
> changelog.
> I'm trying to find where they've made the changes to see if it is possible
> to get at least bullseye fixed.
>
I've had a look and believe these two commits are the fixes:

snmpd: fix bounds checking in NET-SNMP-AGENT-MIB, NET-SNMP-VACM-MIB,
SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB
https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937

snmpd: recover SET status from delegated request
https://github.com/net-snmp/net-snmp/commit/9a0cd7c00947d5e1c6ceb54558d454f87c3b8341

Both sets of commits look pretty clear and simple to implement. I've asked
upstream to confirm these are the only two patches.

 - Craig

Bug#1016139: net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 CVE-2022-24806 CVE-2022-24805

[Moritz Mühlenhoff]

Source: net-snmp
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for net-snmp.

5.9.3 fixes the following issues:

- These two CVEs can be exploited by a user with read-only credentials:
- CVE-2022-24805 A buffer overflow in the handling of the INDEX of
  NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
- CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable
  can cause a NULL pointer dereference.
- These CVEs can be exploited by a user with read-write credentials:
- CVE-2022-24806 Improper Input Validation when SETing malformed
  OIDs in master agent and subagent simultaneously
- CVE-2022-24807 A malformed OID in a SET request to
  SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an
  out-of-bounds memory access.
- CVE-2022-24808 A malformed OID in a SET request to
  NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
- CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable
  can cause a NULL pointer dereference.
   - To avoid these flaws, use strong SNMPv3 credentials and do not share them.
 If you must use SNMPv1 or SNMPv2c, use a complex community string
 and enhance the protection by restricting access to a given IP address 
range.
   - Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for
 reporting the following CVEs that have been fixed in this release, and
 to Arista Networks for providing fixes.

Please adjust the affected versions in the BTS as needed.