> PS: I only checked that net-snmp *is* vulnerable, I haven't checked what
> the overflows can actually do.
We don't use the SNMP library to do the ASN.1 BER decoding; we just use
it to process information from MIBs.
This doesn't mean our ASN.1 and SNMP-dissection code isn't vulnerable to
the problems alluded to by
http://www.kb.cert.org/vuls/id/107186
"SNMPv1 supports five different types of messages: GetRequest,
SetRequest, GetNextRequest, GetResponse, and Trap. A single SNMP
message is referred to as a Protocol Data Unit (PDU). These messages
are described using Abstract Syntax Notation One (ASN.1) and translated
into binary format using Basic Encoding Rules (BER). SNMP trap messages
are sent from agents to managers. Trap messages are unsolicited (the
manager does not issue a request message) and may indicate a warning or
error condition or otherwise notify the manager about the agent's state.
SNMP managers should reliably decode trap messages and process the
resulting application data. OUSPG performed two sets of tests of SNMP
trap message handling: one test focused on ASN.1 decoding, the second
looked for exceptions in the processing of the decoded data.
The results yielded multiple vulnerabilities in both the ASN.1 decoding
and the subsequent processing of SNMP trap messages by many different
SNMP managers. Vulnerabilities include denial-of-service conditions,
format string vulnerabilities, and buffer overflows. Some
vulnerabilities do not require the request message to use the correct
SNMP community string."
or by
http://www.kb.cert.org/vuls/id/854306
"SNMPv1 supports five different types of messages: GetRequest,
SetRequest, GetNextRequest, GetResponse, and Trap. A single SNMP
message is refered to as a Protocol Data Unit (PDU). These messages are
described using Abstract Syntax Notation One (ASN.1) and translated into
binary format using Basic Encoding Rules (BER). SNMP request messages
are sent from managers to agents. Request messages can poll the agent
for current performance or configuration data, ask for the next SNMP
object in a Management Information Base (MIB), or modify configuration
settings. SNMP agents should reliably decode request messages and
process the resulting application data. OUSPG performed two sets of
tests of SNMP request message handling: one test focused on ASN.1
decoding, the second looked for exceptions in the processing of the
decoded data.
The results yielded multiple vulnerabilities in both the ASN.1 decoding
and the subsequent processing of SNMP request messages by many different
SNMP agents. Vulnerabilities include denial-of-service conditions,
format string vulnerabilities, and buffer overflows. Some
vulnerabilities do not require the request message to use the correct
SNMP community string."
it just means that, if we are, it's not because we're linked with a
buggy version of NET-SNMP.
