Vigil@nce: RHEL 3, denial of service of net-snmp
July 2009 by Vigil@nce
An attacker can send a GETBULK request to the snmpd daemon patched
for Red Hat Enterprise Linux version 3 in order to stop it.
Severity: 2/4
Consequences: denial of service of service
Provenance: intranet client
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 26/06/2009
IMPACTED PRODUCTS
– Red Hat Enterprise Linux
DESCRIPTION OF THE VULNERABILITY
A SNMP GETBULK query is used to obtain a group of variables at the
same time. It contains the "non-repeaters" fields which indicates
the starting offset.
The net-snmp package of Red Hat Enterprise Linux version 3 has a
specific patch. The netsnmp_create_subtree_cache() function of the
net-snmp/agent/snmp_agent.c file does not correctly checks a limit
condition, which generates a division by zero. This limit
condition is reached when the GETBULK query indicates a
"non-repeaters" equal to the number of requested variables.
An attacker can therefore send a GETBULK request to the snmpd
daemon patched for Red Hat Enterprise Linux version 3 in order to
stop it.
CHARACTERISTICS
Identifiers: 506903, BID-35492, CVE-2009-1887, RHSA-2009:1124-01,
VIGILANCE-VUL-8824
http://vigilance.fr/vulnerability/RHEL-3-denial-of-service-of-net-snmp-8824