Security Vulnerability With snmpd(1M) When Processing Certain AgentX Subagent Requests |
|
| Category : | Security |
| Release Phase : | Resolved |
| Product : | Solaris 10 Operating System
|
| Bug Id : | 6314978
|
| Date of Workaround Release : | 24-MAY-2007
|
| Date of Resolved Release : | 04-JUN-2007
|
When the System Management Agent (SMA) SNMP daemon (snmpd(1M)) is running in "master agentx" mode, a security vulnerability may allow a local or remote unprivileged user to create a Denial of Service (DoS) condition by causing a particular TCP disconnect.
This issue is described in the following document:
CVE-2005-4837 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4837
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
x86 Platform
- Solaris 10 without patch 120273-08
Notes:
- Solaris 8 and Solaris 9 do not ship with the Net-SNMP software and thus are not impacted by this issue.
- The Net-SNMP software was not bundled with Solaris prior to Solaris 10. However, customers who have built and/or installed a vulnerable version of Net-SNMP on any version of Solaris are at risk. (See the Net-SNMP web site to download the latest version of Net-SNMP which addresses this issue).
- The Solaris 10 patches which address this vulnerability do not increment the version of Net-SNMP. The version of Net-SNMP supplied with the patches will still be reported as 5.0.9.
This issue only affects systems which have the SUNWsmagt package installed and AgentX is enabled. To determine if the SUNWsmagt package is installed on the system, the following command can be run:
$ pkginfo -l SUNWsmagt
PKGINST: SUNWsmagt
NAME: System Management Agent files and libraries
CATEGORY: system
VERSION: 1.0,REV=2005.01.08.05.16
To confirm the version of Net-SNMP installed on the system, the following command can be run:
$ /usr/sfw/sbin/snmpd -v
NET-SNMP version: 5.0.9
Web: http://www.net-snmp.org/
Email: net-snmp-coders@lists.sourceforge.net
If the version reported is 5.0.9 or earlier and the above patch is not installed then the described issue may occur.
By default, AgentX support is turned off. This issue will only occur if AgentX support is enabled explicitly. To determine if AgentX support is enabled, the following command can be run (as 'root'):
# grep agentx /etc/sma/snmp/snmpd.conf
master agentx
The above output indicates AgentX support is enabled and snmpd(1M) is vulnerable. If the above command produces no output, then snmpd(1M) is not vulnerable.
Symptoms
Should the described issue occur, snmpd(1M) will core dump.
Workaround
To work around the described issue, disable AgentX support by commenting out the "master agentx" entry in the "/etc/sma/snmp/snmpd.conf" file, as in the following example:
#master agentx
then restart SMA with the following command:
# /etc/init.d/init.sma restart
Resolution
This issue is addressed in the following releases:
SPARC Platform
x86 Platform
- Solaris 10 with patch 120273-08 or later
Modification HistoryDate: 04-JUN-2007
- Updated Contributing Factors and Resolution sections
- State: Resolved
AttachmentsThis solution has no attachment
Sun Contracted Content
Sun Contracted Feature
