Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

OpenBSD net-snmp Information Disclosure

🗓️ 13 Nov 2015 00:00:00Reported by Pierre KimType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 44 Views

OpenBSD net-snmp Information Disclosure. Weak permissions in snmpd configuration file allow local user to retrieve sensitive information. Vulnerability found and fixed in -STABLE and -CURRENT packages

Related
Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
## Advisory Information  
  
Title: OpenBSD package 'net-snmp' information disclosure  
Advisory URL: https://pierrekim.github.io/advisories/CVE-2015-8100-openbsd-net-snmp.txt  
Blog URL: https://pierrekim.github.io/blog/2015-11-12-CVE-2015-8100-OpenBSD-package-net-snmp-information-disclosure.html  
Date published: 2015-11-12  
Vendors contacted: Stuart Henderson, OpenBSD Package maintainer  
Release mode: Released  
CVE: CVE-2015-8100  
  
  
  
## Product Description  
  
Net-SNMP is a suite of applications used to implement SNMP v1, SNMP v2c and  
SNMP v3 using both IPv4 and IPv6.  
  
This software is available in OpenBSD as a port (/usr/ports/net/net-snmp).  
  
  
  
## Vulnerabilities Summary  
  
By default, when OpenBSD package and ports are used, the snmpd  
configuration file  
has weak permissions which allows a local user to retrieve sensitive  
information.  
  
  
  
## Details  
  
By default the permissions of the snmpd configuration file in OpenBSD  
are 0644 instead of 0600:  
  
# cd /usr/ports/net/net-snmp  
# make install clean  
[...]  
# ls -latr /etc/snmp/snmpd.conf  
-rw-r--r-- 1 root wheel 6993 Nov 4 09:16 /etc/snmp/snmpd.conf  
#  
  
The same problem occurs when the provided package is installed with  
`pkg_add http://ftp.spline.de/pub/OpenBSD/5.8/packages/i386/net-snmp-5.7.3p0.tgz`:  
  
# ls -latr /etc/snmp/snmpd.conf  
-rw-r--r-- 1 root wheel 6993 Nov 4 08:37 /etc/snmp/snmpd.conf  
#  
  
The snmpd configuration file is readable by a local user and contains  
the credentials  
for read-only and read-write access (for SNMPv1, SNMPv2 and SNMPv3  
protocols) and  
gives a local user unnecessary/dangerous access:  
  
  
[...]  
  
rocommunity public default -V systemonly  
#rocommunity secret 10.0.0.0/16  
rouser authOnlyUser  
#rwuser authPrivUser priv  
  
[...]  
  
This problem is OpenBSD-specific as the  
/var/db/pkg/net-snmp-5.7.3p0/+CONTENTS file confirms:  
@ts 1438958635  
@sample /etc/snmp/snmpd.conf  
  
Futhermore, by default, `/usr/local/sbin/snmpd` runs as root.  
  
  
  
## Vendor Response  
  
This problem has been fixed in the -STABLE and -CURRENT packages.  
  
  
  
## Report Timeline  
  
* Nov 04, 2015: Vulnerability found by Pierre Kim.  
* Nov 06, 2015: Stuart Henderson is notified of the vulnerability.  
* Nov 06, 2015: Stuart Henderson confirms the vulnerability and fixes  
the package permissions for the sample configuration file in -current  
and -stable.  
* Nov 06, 2015: Stuart Henderson re-activates an option (can be  
configured with rc.conf.local) to run net-snmp as a separate uid to  
improve security.  
* Nov 10, 2015: OSS-Security is contacted to get a CVE  
* Nov 10, 2015: [email protected] assigns CVE-2015-8100  
* Nov 12, 2015: A public advisory is sent to security mailing lists.  
  
  
  
## Credit  
  
This vulnerability was found by Pierre Kim (@PierreKimSec).  
  
  
  
## References  
  
https://pierrekim.github.io/advisories/CVE-2015-8100-openbsd-net-snmp.txt  
http://openports.se/net/net-snmp  
  
  
  
## Disclaimer  
  
This advisory is licensed under a Creative Commons Attribution Non-Commercial  
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
  
iQIcBAEBCgAGBQJWRKFEAAoJEMQ+Dtp9ky28Jq4P/iUv706dteWtl9HkPHkSVbql  
yO8ZJGnJtEXX3SOR5OKd07rxwP4W1gIYJtLSTUfEk+91LRpP8ZNgDIMDG1pIKS5l  
2S+6SQ+8yQXCcnm54KAc8DQM3tJHUp/RG8/6UR30V0v83ELnLmAX01BWOMEIvle2  
N1cd59cPUZ4Qafee1p8wbyDWi1WBB1d89d7YKf3v78L34COTEBXPRLPs+DQCU7nD  
vmGzsFKcNjr8Hr2pq9aQmNmmuE82GtuEk3e1OKR5Pe4uYWoEAuFJOnswFjABDSch  
0wvWx1d6G2iOMwPIRLL+BXMgGzPpKB4KjgYPH/3OYJVXywKfEw0pBnu+Svb31/JV  
MVnnw6+fuunOLe7GxrI4M5FE2JfMD4CUiarFHRK6I5XDJm1dsvTHIsJUwA+9FTTH  
7kJY/xKHJ3YpjrKT2K2WAmvsJCTswkbvPr5LKNGgOLlUzVUetYo1hhGT6fo5ppQE  
RMpWkpX1DGJ+5RzlcLhLqguznv/SVwAA78TwailvF28LW2kSHJDOIpUht2xRdQ2Q  
JJZwcoO69qsterKF+UCcucWXDSjUjzI/Vrvm/aV+BAu4oKVG5QvVNplbHDYruLl5  
9OMF1C5+z8GcQf27u1RG69VAOx66GnPFGTPUiaKfsgqfh3jEMJw3IlT1LBCAZao4  
FXQizA+QOejXTiuHqYE9  
=qkHs  
-----END PGP SIGNATURE-----  
  
--   
Pierre Kim  
[email protected]  
@PierreKimSec  
https://pierrekim.github.io/  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Nov 2015 00:00Current
7.6High risk
Vulners AI Score7.6
EPSS0.00135
openbsdnet-snmpinformation disclosureweak permissionssnmpvulnerability-stable-currentconfiguration filelocal user
44