CVE-2022-24810: Critical Vulnerability in net-snmp Allows NULL Pointer Dereference via Malformed OID

Net-SNMP is a widely used suite of tools that helps administrators efficiently manage computer networks using the Simple Network Management Protocol (SNMP). However, a critical vulnerability (CVE-2022-24810) exists in net-snmp versions prior to 5.9.2, which can result in a NULL pointer dereference and potential Denial of Service (DoS) attacks.

Vulnerability Details

The vulnerability arises when a user with read-write credentials sends a malformed OID (Object Identifier) in a SET request to the nsVacmAccessTable. A NULL pointer dereference occurs when the application attempts to process the malformed OID, potentially causing a crash or other unexpected behavior. It's important to note that this vulnerability affects users that have read-write permissions, which could potentially escalate to a full DoS attack if exploited by a malicious user.

It's highly recommended for users to upgrade to net-snmp version 5.9.2, which contains a patch that fixes this vulnerability. The patch can be found in the following commit:
https://github.com/net-snmp/net-snmp/commit/d622493636448c517d3958c695aaf43fb53e4f8

To further mitigate the risk of exploitation, users should use strong SNMPv3 credentials and avoid sharing these credentials with other users. Those who must continue using SNMPv1 or SNMPv2c should employ a complex community string and enhance the protection by restricting access to a particular IP address range.

Code Snippet Demonstrating the Vulnerability

#include <net-snmp/net-snmp-config.h>
#include <net-snmp/net-snmp-includes.h>
...
int main(int argc, char **argv) {
  ...
  // The following code demonstrates a malformed OID in a SET request
  // that exploits CVE-2022-24810.

  // Initialize an OID object and set its sub-identifiers
  oid myOID[] = {1, 3, 6, 1, 6, 3, 16, 9, 2, 1, 6, , 4};
  size_t myOID_len = OID_LENGTH(myOID);

  // Create and initialize the PDU (Protocol Data Unit) object with a SET request
  netsnmp_pdu *pdu = snmp_pdu_create(SNMP_MSG_SET);

  // Create the malformed variable with the set value
  char setValue[] = "value";
  size_t setValue_len = strlen(setValue);

  // Add the malformed variable to the request
  snmp_add_var(pdu, myOID, myOID_len, 's', setValue);
  ...
}

Restrict access to a specific IP address range.

In conclusion, it's essential for net-snmp users to understand the potential risks associated with this vulnerability (CVE-2022-24810) and take immediate action to prevent possible exploitation. Updating to net-snmp version 5.9.2, utilizing secure credential management practices, and restricting access to specific IP addresses can significantly mitigate the risks associated with this vulnerability, ensuring the continued functionality and security of an organization's networks.

Timeline

Published on: 04/16/2024 20:15:09 UTC
Last modified on: 04/17/2024 12:48:31 UTC