Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 504316 (CVE-2014-2310)

Summary: net-analyzer/net-snmp : AgentX incorrectly handles multi-object requests leading to DoS (CVE-2014-2310)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: netmon
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1074631
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-03-12 11:26:43 UTC 
From ${URL} :

It was reported [1],[2]that the AgentX subagent of net-snmp could be stalled when a manager sent a 
multi-object request with a different number subids.  This could lead to a denial of service.

This has been corrected upstream in version 5.4.4 [3]; 

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684388
[2] http://seclists.org/oss-sec/2014/q1/513
[3] http://sourceforge.net/p/net-snmp/patches/1113/


@security: please file the request for the GLSA.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2014-03-12 15:58:27 UTC 
(In reply to Agostino Sarubbo from comment #0)
> From ${URL} :
> 
> It was reported [1],[2]that the AgentX subagent of net-snmp could be stalled
> when a manager sent a 
> multi-object request with a different number subids.  This could lead to a
> denial of service.
> 
> This has been corrected upstream in version 5.4.4 [3]; 

And the full quotation is:

   "
    This has been corrected upstream in version 5.4.4 [3]; only earlier
    versiona[sic] are affected.  This means that Fedora and Red Hat Enterprise
    Linux 6 are not affected, however Red Hat Enterprise Linux 5 does ship a
    vulnerable version (5.3.x).
   "

5.3.x left the tree in 2007, 5.4.x in 2012.


Ad [3]: The patch is from 2010 and was accepted in 5.3.x and later. The first clean version to enter the tree was probably 5.6.1 which never went stable, but 5.7.2_rc1 did in 2012 (bug #431752).

So it's basically a bug in RH and Debian.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-04-29 21:27:59 UTC 
CVE-2014-2310 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2310):
  The AgentX subagent in Net-SNMP before 5.4.4 allows remote attackers to
  cause a denial of service (hang) by sending a multi-object request with an
  Object ID (OID) containing more subids than previous requests, a different
  vulnerability than CVE-2012-6151.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-04-30 03:38:06 UTC 
Maintainers, thank you for your confirmation work. 

No GLSA needed since we are not vulnerable, closing.