[Pkg-net-snmp-devel] Bug#965166: Bug#965166: snmpd privilege escalation
Bart Van Assche
bvanassche at acm.org
Sat Jul 18 03:04:07 BST 2020
Please trim quoted emails when replying.
Net-SNMP version 5.7.3, the version included in Debian, is no longer
maintained upstream.
A patch has been applied to the Net-SNMP v5.8 and master branches that
removes the EXTEND MIB from the list with default MIBs. See also commit
c2b96ee74439 ("snmpd: Disable NET-SNMP-EXTEND-MIB support by default").
However, it's still possible that that patch is reverted before the next
version is released.
Not allowing to set agentUser in /var/lib/snmp/snmpd.conf would probably
help to address the reported vulnerability. However, I doubt that this
would address all vulnerabilities that could be triggered via the EXTEND
MIB. Since the EXTEND MIB allows to run any shell command from a remote
system it can be used for privilege escalation. Since Net-SNMP already
supports other mechanisms for extending snmpd, e.g. the extend and
extendfix directives in snmpd.conf, I propose to disable the EXTEND MIB.
More information about the Pkg-net-snmp-devel
mailing list