The Simple Network Management Protocol (SNMP) is a pervasive part of IT infrastructure. It quietly powers network monitoring, printer management, device discovery, and more. But like any widely used software, it occasionally faces security issues. One such vulnerability—assigned CVE-2022-24810—impacts net-snmp, a toolkit found everywhere from Linux servers to embedded appliances.

In this article, we’ll break down what this vulnerability means, how it works, and how you can protect your systems. We'll use simple language and show you hands-on details, including code samples, so you can better understand the risks and fixes.

What is net-snmp?

net-snmp is one of the most popular open-source SNMP implementation libraries and toolkits. It lets your computer or device speak SNMP, so tools like Zabbix, Nagios, or even home-grown scripts can check the status of hardware, print jobs, and network traffic.

About CVE-2022-24810

In April 2022, a serious vulnerability was found in net-snmp before version 5.9.2. Here’s the gist:

Who is affected? Anyone running net-snmp before version 5.9.2

- What happens? An authenticated attacker (someone with an SNMP "write" credential) can crash the SNMP daemon (snmpd) using a malformed OID in a SET operation, leading to a NULL pointer dereference.
- How? The bug lives in the code handling the *nsVacmAccessTable* (a table controlling SNMP access). If the OID (Object Identifier) you try to SET is strange or malformed, the service might dereference a NULL pointer—making the process crash.

The Official Advisory

You can read the official advisory on GitHub: net-snmp security advisory 4 and NIST/NVD entry for CVE-2022-24810.

Vulnerable Code (Simplified)

The bug is in handling OIDs passed to a SET that target the *nsVacmAccessTable*.

Here's a simplified version of the problematic code

// This is illustrative, not exact source code
netsnmp_variable_list *var;
if (var->name_length < expected_length) {
    // Due to missing checks, the wrong pointer gets dereferenced
    some_structure = get_pointer_from_oid(var->name); // May return NULL
    do_something(some_structure->field); // <-- OOPS! If NULL, crash here.
}

The actual root cause is failing to validate OID length or structure before using pointers derived from them.

Attack: Crafting a Malicious SNMP Packet

To exploit this, the attacker must have read-write SNMP credentials. For example, in SNMPv2c you'd need the *community string* that's allowed to do SET operations.

The attacker then sends a SET request with a deliberately bad OID targeting the nsVacmAccessTable, triggering the crash.

Suppose the community string is private and your target device is 192.168.1.100

snmpset -v2c -c private 192.168.1.100 \
  NET-SNMP-VACM-MIB::nsVacmAccessStatus.'malformed' i 6

- The .'malformed' part in the OID will make the server misinterpret the intent and may trigger the crash if using a version before 5.9.2.

What does "NULL pointer dereference" mean?

Basically, the software tries to use memory that hasn’t been set—leading to a crash. In Linux, this means the snmpd daemon will be killed and must be restarted. There is no code execution risk, but it can crash your device/service (leading to denial of service).

1. Upgrade net-snmp to Version 5.9.2 or Later

The patch adds proper OID checks.

Debian/Ubuntu

sudo apt-get update
sudo apt-get install netsnmp

(make sure snmpd -v shows 5.9.2 or later)

Red Hat/CentOS

sudo yum update net-snmp

Or, rebuild from source releases.

2. Use SNMPv3 Whenever Possible

SNMPv3 provides real authentication and encryption.

Here's a sample snmpd.conf for SNMPv3

createUser MyUser SHA "AuthPassWord" AES "PrivPassWord"
rouser  MyUser   priv

And to access

snmpset -v3 -l authPriv -u MyUser -a SHA -A AuthPassWord -x AES -X PrivPassWord 192.168.1.100 ...

If you must use SNMPv1/v2c

- Use complex community strings (not public / private)

- Restrict SNMP access to trusted IP addresses via snmpd.conf

  rocommunity mySecretString 192.168.1./24

4. Monitor and Restrict Access to the nsVacmAccessTable

This table is rarely needed for external management. If you’re not using it, consider restricting write access.

References and Further Reading

- GitHub net-snmp advisory for CVE-2022-24810
- NIST NVD Entry: CVE-2022-24810
- net-snmp Official Site
- net-snmp 5.9.2 Changelog
- How To Set Up SNMPv3 on Linux

Summary

CVE-2022-24810 affects all net-snmp deployments prior to 5.9.2, letting an attacker with SNMP SET access crash the daemon using a malformed OID. The fix is straightforward: upgrade. And as always, use strong authentication, least privilege, and network access controls for all your management interfaces.

Timeline

Published on: 04/16/2024 20:15:09 UTC
Last modified on: 04/17/2024 12:48:31 UTC