OpenBSD net-snmp Information Disclosure
Posted on 14 November 2015
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ## Advisory Information Title: OpenBSD package 'net-snmp' information disclosure Advisory URL: https://pierrekim.github.io/advisories/CVE-2015-8100-openbsd-net-snmp.txt Blog URL: https://pierrekim.github.io/blog/2015-11-12-CVE-2015-8100-OpenBSD-package-net-snmp-information-disclosure.html Date published: 2015-11-12 Vendors contacted: Stuart Henderson, OpenBSD Package maintainer Release mode: Released CVE: CVE-2015-8100 ## Product Description Net-SNMP is a suite of applications used to implement SNMP v1, SNMP v2c and SNMP v3 using both IPv4 and IPv6. This software is available in OpenBSD as a port (/usr/ports/net/net-snmp). ## Vulnerabilities Summary By default, when OpenBSD package and ports are used, the snmpd configuration file has weak permissions which allows a local user to retrieve sensitive information. ## Details By default the permissions of the snmpd configuration file in OpenBSD are 0644 instead of 0600: # cd /usr/ports/net/net-snmp # make install clean [...] # ls -latr /etc/snmp/snmpd.conf -rw-r--r-- 1 root wheel 6993 Nov 4 09:16 /etc/snmp/snmpd.conf # The same problem occurs when the provided package is installed with `pkg_add http://ftp.spline.de/pub/OpenBSD/5.8/packages/i386/net-snmp-5.7.3p0.tgz`: # ls -latr /etc/snmp/snmpd.conf -rw-r--r-- 1 root wheel 6993 Nov 4 08:37 /etc/snmp/snmpd.conf # The snmpd configuration file is readable by a local user and contains the credentials for read-only and read-write access (for SNMPv1, SNMPv2 and SNMPv3 protocols) and gives a local user unnecessary/dangerous access: [...] rocommunity public default -V systemonly #rocommunity secret 10.0.0.0/16 rouser authOnlyUser #rwuser authPrivUser priv [...] This problem is OpenBSD-specific as the /var/db/pkg/net-snmp-5.7.3p0/+CONTENTS file confirms: @ts 1438958635 @sample /etc/snmp/snmpd.conf Futhermore, by default, `/usr/local/sbin/snmpd` runs as root. ## Vendor Response This problem has been fixed in the -STABLE and -CURRENT packages. ## Report Timeline * Nov 04, 2015: Vulnerability found by Pierre Kim. * Nov 06, 2015: Stuart Henderson is notified of the vulnerability. * Nov 06, 2015: Stuart Henderson confirms the vulnerability and fixes the package permissions for the sample configuration file in -current and -stable. * Nov 06, 2015: Stuart Henderson re-activates an option (can be configured with rc.conf.local) to run net-snmp as a separate uid to improve security. * Nov 10, 2015: OSS-Security is contacted to get a CVE * Nov 10, 2015: cve-assign@mitre.org assigns CVE-2015-8100 * Nov 12, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Pierre Kim (@PierreKimSec). ## References https://pierrekim.github.io/advisories/CVE-2015-8100-openbsd-net-snmp.txt http://openports.se/net/net-snmp ## Disclaimer This advisory is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWRKFEAAoJEMQ+Dtp9ky28Jq4P/iUv706dteWtl9HkPHkSVbql yO8ZJGnJtEXX3SOR5OKd07rxwP4W1gIYJtLSTUfEk+91LRpP8ZNgDIMDG1pIKS5l 2S+6SQ+8yQXCcnm54KAc8DQM3tJHUp/RG8/6UR30V0v83ELnLmAX01BWOMEIvle2 N1cd59cPUZ4Qafee1p8wbyDWi1WBB1d89d7YKf3v78L34COTEBXPRLPs+DQCU7nD vmGzsFKcNjr8Hr2pq9aQmNmmuE82GtuEk3e1OKR5Pe4uYWoEAuFJOnswFjABDSch 0wvWx1d6G2iOMwPIRLL+BXMgGzPpKB4KjgYPH/3OYJVXywKfEw0pBnu+Svb31/JV MVnnw6+fuunOLe7GxrI4M5FE2JfMD4CUiarFHRK6I5XDJm1dsvTHIsJUwA+9FTTH 7kJY/xKHJ3YpjrKT2K2WAmvsJCTswkbvPr5LKNGgOLlUzVUetYo1hhGT6fo5ppQE RMpWkpX1DGJ+5RzlcLhLqguznv/SVwAA78TwailvF28LW2kSHJDOIpUht2xRdQ2Q JJZwcoO69qsterKF+UCcucWXDSjUjzI/Vrvm/aV+BAu4oKVG5QvVNplbHDYruLl5 9OMF1C5+z8GcQf27u1RG69VAOx66GnPFGTPUiaKfsgqfh3jEMJw3IlT1LBCAZao4 FXQizA+QOejXTiuHqYE9 =qkHs -----END PGP SIGNATURE----- -- Pierre Kim pierre.kim.sec@gmail.com @PierreKimSec https://pierrekim.github.io/