OpenBSD net-snmp Information Disclosure Vulnerability
2015-11-14T00:00:00
ID 1337DAY-ID-24541 Type zdt Reporter Pierre Kim Modified 2015-11-14T00:00:00
Description
OpenBSD net-snmp suffers from a credential and information disclosure vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
## Advisory Information
Title: OpenBSD package 'net-snmp' information disclosure
Advisory URL: https://pierrekim.github.io/advisories/CVE-2015-8100-openbsd-net-snmp.txt
Blog URL: https://pierrekim.github.io/blog/2015-11-12-CVE-2015-8100-OpenBSD-package-net-snmp-information-disclosure.html
Date published: 2015-11-12
Vendors contacted: Stuart Henderson, OpenBSD Package maintainer
Release mode: Released
CVE: CVE-2015-8100
## Product Description
Net-SNMP is a suite of applications used to implement SNMP v1, SNMP v2c and
SNMP v3 using both IPv4 and IPv6.
This software is available in OpenBSD as a port (/usr/ports/net/net-snmp).
## Vulnerabilities Summary
By default, when OpenBSD package and ports are used, the snmpd
configuration file
has weak permissions which allows a local user to retrieve sensitive
information.
## Details
By default the permissions of the snmpd configuration file in OpenBSD
are 0644 instead of 0600:
# cd /usr/ports/net/net-snmp
# make install clean
[...]
# ls -latr /etc/snmp/snmpd.conf
-rw-r--r-- 1 root wheel 6993 Nov 4 09:16 /etc/snmp/snmpd.conf
#
The same problem occurs when the provided package is installed with
`pkg_add http://ftp.spline.de/pub/OpenBSD/5.8/packages/i386/net-snmp-5.7.3p0.tgz`:
# ls -latr /etc/snmp/snmpd.conf
-rw-r--r-- 1 root wheel 6993 Nov 4 08:37 /etc/snmp/snmpd.conf
#
The snmpd configuration file is readable by a local user and contains
the credentials
for read-only and read-write access (for SNMPv1, SNMPv2 and SNMPv3
protocols) and
gives a local user unnecessary/dangerous access:
[...]
rocommunity public default -V systemonly
#rocommunity secret 10.0.0.0/16
rouser authOnlyUser
#rwuser authPrivUser priv
[...]
This problem is OpenBSD-specific as the
/var/db/pkg/net-snmp-5.7.3p0/+CONTENTS file confirms:
@ts 1438958635
@sample /etc/snmp/snmpd.conf
Futhermore, by default, `/usr/local/sbin/snmpd` runs as root.
## Vendor Response
This problem has been fixed in the -STABLE and -CURRENT packages.
## Report Timeline
* Nov 04, 2015: Vulnerability found by Pierre Kim.
* Nov 06, 2015: Stuart Henderson is notified of the vulnerability.
* Nov 06, 2015: Stuart Henderson confirms the vulnerability and fixes
the package permissions for the sample configuration file in -current
and -stable.
* Nov 06, 2015: Stuart Henderson re-activates an option (can be
configured with rc.conf.local) to run net-snmp as a separate uid to
improve security.
* Nov 10, 2015: OSS-Security is contacted to get a CVE
* Nov 10, 2015: [email protected] assigns CVE-2015-8100
* Nov 12, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Pierre Kim (@PierreKimSec).
## References
https://pierrekim.github.io/advisories/CVE-2015-8100-openbsd-net-snmp.txt
http://openports.se/net/net-snmp
## Disclaimer
This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWRKFEAAoJEMQ+Dtp9ky28Jq4P/iUv706dteWtl9HkPHkSVbql
yO8ZJGnJtEXX3SOR5OKd07rxwP4W1gIYJtLSTUfEk+91LRpP8ZNgDIMDG1pIKS5l
2S+6SQ+8yQXCcnm54KAc8DQM3tJHUp/RG8/6UR30V0v83ELnLmAX01BWOMEIvle2
N1cd59cPUZ4Qafee1p8wbyDWi1WBB1d89d7YKf3v78L34COTEBXPRLPs+DQCU7nD
vmGzsFKcNjr8Hr2pq9aQmNmmuE82GtuEk3e1OKR5Pe4uYWoEAuFJOnswFjABDSch
0wvWx1d6G2iOMwPIRLL+BXMgGzPpKB4KjgYPH/3OYJVXywKfEw0pBnu+Svb31/JV
MVnnw6+fuunOLe7GxrI4M5FE2JfMD4CUiarFHRK6I5XDJm1dsvTHIsJUwA+9FTTH
7kJY/xKHJ3YpjrKT2K2WAmvsJCTswkbvPr5LKNGgOLlUzVUetYo1hhGT6fo5ppQE
RMpWkpX1DGJ+5RzlcLhLqguznv/SVwAA78TwailvF28LW2kSHJDOIpUht2xRdQ2Q
JJZwcoO69qsterKF+UCcucWXDSjUjzI/Vrvm/aV+BAu4oKVG5QvVNplbHDYruLl5
9OMF1C5+z8GcQf27u1RG69VAOx66GnPFGTPUiaKfsgqfh3jEMJw3IlT1LBCAZao4
FXQizA+QOejXTiuHqYE9
=qkHs
-----END PGP SIGNATURE-----
--
Pierre Kim
[email protected]
@PierreKimSec
https://pierrekim.github.io/
# 0day.today [2018-04-11] #
{"id": "1337DAY-ID-24541", "lastseen": "2018-04-11T23:45:00", "viewCount": 7, "bulletinFamily": "exploit", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "edition": 2, "enchantments": {"score": {"value": 5.1, "vector": "NONE", "modified": "2018-04-11T23:45:00", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-8100"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:134323"]}], "modified": "2018-04-11T23:45:00", "rev": 2}, "vulnersScore": 5.1}, "type": "zdt", "sourceHref": "https://0day.today/exploit/24541", "description": "OpenBSD net-snmp suffers from a credential and information disclosure vulnerability.", "title": "OpenBSD net-snmp Information Disclosure Vulnerability", "cvelist": ["CVE-2015-8100"], "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\n## Advisory Information\r\n\r\nTitle: OpenBSD package 'net-snmp' information disclosure\r\nAdvisory URL: https://pierrekim.github.io/advisories/CVE-2015-8100-openbsd-net-snmp.txt\r\nBlog URL: https://pierrekim.github.io/blog/2015-11-12-CVE-2015-8100-OpenBSD-package-net-snmp-information-disclosure.html\r\nDate published: 2015-11-12\r\nVendors contacted: Stuart Henderson, OpenBSD Package maintainer\r\nRelease mode: Released\r\nCVE: CVE-2015-8100\r\n\r\n\r\n\r\n## Product Description\r\n\r\nNet-SNMP is a suite of applications used to implement SNMP v1, SNMP v2c and\r\nSNMP v3 using both IPv4 and IPv6.\r\n\r\nThis software is available in OpenBSD as a port (/usr/ports/net/net-snmp).\r\n\r\n\r\n\r\n## Vulnerabilities Summary\r\n\r\nBy default, when OpenBSD package and ports are used, the snmpd\r\nconfiguration file\r\nhas weak permissions which allows a local user to retrieve sensitive\r\ninformation.\r\n\r\n\r\n\r\n## Details\r\n\r\nBy default the permissions of the snmpd configuration file in OpenBSD\r\nare 0644 instead of 0600:\r\n\r\n # cd /usr/ports/net/net-snmp\r\n # make install clean\r\n [...]\r\n # ls -latr /etc/snmp/snmpd.conf\r\n -rw-r--r-- 1 root wheel 6993 Nov 4 09:16 /etc/snmp/snmpd.conf\r\n #\r\n\r\nThe same problem occurs when the provided package is installed with\r\n`pkg_add http://ftp.spline.de/pub/OpenBSD/5.8/packages/i386/net-snmp-5.7.3p0.tgz`:\r\n\r\n # ls -latr /etc/snmp/snmpd.conf\r\n -rw-r--r-- 1 root wheel 6993 Nov 4 08:37 /etc/snmp/snmpd.conf\r\n #\r\n\r\nThe snmpd configuration file is readable by a local user and contains\r\nthe credentials\r\nfor read-only and read-write access (for SNMPv1, SNMPv2 and SNMPv3\r\nprotocols) and\r\ngives a local user unnecessary/dangerous access:\r\n\r\n\r\n [...]\r\n\r\n rocommunity public default -V systemonly\r\n #rocommunity secret 10.0.0.0/16\r\n rouser authOnlyUser\r\n #rwuser authPrivUser priv\r\n\r\n [...]\r\n\r\nThis problem is OpenBSD-specific as the\r\n/var/db/pkg/net-snmp-5.7.3p0/+CONTENTS file confirms:\r\n @ts 1438958635\r\n @sample /etc/snmp/snmpd.conf\r\n\r\nFuthermore, by default, `/usr/local/sbin/snmpd` runs as root.\r\n\r\n\r\n\r\n## Vendor Response\r\n\r\nThis problem has been fixed in the -STABLE and -CURRENT packages.\r\n\r\n\r\n\r\n## Report Timeline\r\n\r\n * Nov 04, 2015: Vulnerability found by Pierre Kim.\r\n * Nov 06, 2015: Stuart Henderson is notified of the vulnerability.\r\n * Nov 06, 2015: Stuart Henderson confirms the vulnerability and fixes\r\nthe package permissions for the sample configuration file in -current\r\nand -stable.\r\n * Nov 06, 2015: Stuart Henderson re-activates an option (can be\r\nconfigured with rc.conf.local) to run net-snmp as a separate uid to\r\nimprove security.\r\n * Nov 10, 2015: OSS-Security is contacted to get a CVE\r\n * Nov 10, 2015: [email\u00a0protected] assigns CVE-2015-8100\r\n * Nov 12, 2015: A public advisory is sent to security mailing lists.\r\n\r\n\r\n\r\n## Credit\r\n\r\nThis vulnerability was found by Pierre Kim (@PierreKimSec).\r\n\r\n\r\n\r\n## References\r\n\r\nhttps://pierrekim.github.io/advisories/CVE-2015-8100-openbsd-net-snmp.txt\r\nhttp://openports.se/net/net-snmp\r\n\r\n\r\n\r\n## Disclaimer\r\n\r\nThis advisory is licensed under a Creative Commons Attribution Non-Commercial\r\nShare-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\n\r\niQIcBAEBCgAGBQJWRKFEAAoJEMQ+Dtp9ky28Jq4P/iUv706dteWtl9HkPHkSVbql\r\nyO8ZJGnJtEXX3SOR5OKd07rxwP4W1gIYJtLSTUfEk+91LRpP8ZNgDIMDG1pIKS5l\r\n2S+6SQ+8yQXCcnm54KAc8DQM3tJHUp/RG8/6UR30V0v83ELnLmAX01BWOMEIvle2\r\nN1cd59cPUZ4Qafee1p8wbyDWi1WBB1d89d7YKf3v78L34COTEBXPRLPs+DQCU7nD\r\nvmGzsFKcNjr8Hr2pq9aQmNmmuE82GtuEk3e1OKR5Pe4uYWoEAuFJOnswFjABDSch\r\n0wvWx1d6G2iOMwPIRLL+BXMgGzPpKB4KjgYPH/3OYJVXywKfEw0pBnu+Svb31/JV\r\nMVnnw6+fuunOLe7GxrI4M5FE2JfMD4CUiarFHRK6I5XDJm1dsvTHIsJUwA+9FTTH\r\n7kJY/xKHJ3YpjrKT2K2WAmvsJCTswkbvPr5LKNGgOLlUzVUetYo1hhGT6fo5ppQE\r\nRMpWkpX1DGJ+5RzlcLhLqguznv/SVwAA78TwailvF28LW2kSHJDOIpUht2xRdQ2Q\r\nJJZwcoO69qsterKF+UCcucWXDSjUjzI/Vrvm/aV+BAu4oKVG5QvVNplbHDYruLl5\r\n9OMF1C5+z8GcQf27u1RG69VAOx66GnPFGTPUiaKfsgqfh3jEMJw3IlT1LBCAZao4\r\nFXQizA+QOejXTiuHqYE9\r\n=qkHs\r\n-----END PGP SIGNATURE-----\r\n\r\n-- \r\nPierre Kim\r\n[email\u00a0protected]\r\n@PierreKimSec\r\nhttps://pierrekim.github.io/\n\n# 0day.today [2018-04-11] #", "published": "2015-11-14T00:00:00", "references": [], "reporter": "Pierre Kim", "modified": "2015-11-14T00:00:00", "href": "https://0day.today/exploit/description/24541"}
{"cve": [{"lastseen": "2020-12-09T20:03:08", "description": "The net-snmp package in OpenBSD through 5.8 uses 0644 permissions for snmpd.conf, which allows local users to obtain sensitive community information by reading this file.", "edition": 5, "cvss3": {}, "published": "2015-11-10T03:59:00", "title": "CVE-2015-8100", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8100"], "modified": "2016-12-07T18:26:00", "cpe": ["cpe:/a:net-snmp:net-snmp:5.8"], "id": "CVE-2015-8100", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8100", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:net-snmp:net-snmp:5.8:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:14:06", "description": "", "published": "2015-11-13T00:00:00", "type": "packetstorm", "title": "OpenBSD net-snmp Information Disclosure", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-8100"], "modified": "2015-11-13T00:00:00", "id": "PACKETSTORM:134323", "href": "https://packetstormsecurity.com/files/134323/OpenBSD-net-snmp-Information-Disclosure.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA512 \n \n## Advisory Information \n \nTitle: OpenBSD package 'net-snmp' information disclosure \nAdvisory URL: https://pierrekim.github.io/advisories/CVE-2015-8100-openbsd-net-snmp.txt \nBlog URL: https://pierrekim.github.io/blog/2015-11-12-CVE-2015-8100-OpenBSD-package-net-snmp-information-disclosure.html \nDate published: 2015-11-12 \nVendors contacted: Stuart Henderson, OpenBSD Package maintainer \nRelease mode: Released \nCVE: CVE-2015-8100 \n \n \n \n## Product Description \n \nNet-SNMP is a suite of applications used to implement SNMP v1, SNMP v2c and \nSNMP v3 using both IPv4 and IPv6. \n \nThis software is available in OpenBSD as a port (/usr/ports/net/net-snmp). \n \n \n \n## Vulnerabilities Summary \n \nBy default, when OpenBSD package and ports are used, the snmpd \nconfiguration file \nhas weak permissions which allows a local user to retrieve sensitive \ninformation. \n \n \n \n## Details \n \nBy default the permissions of the snmpd configuration file in OpenBSD \nare 0644 instead of 0600: \n \n# cd /usr/ports/net/net-snmp \n# make install clean \n[...] \n# ls -latr /etc/snmp/snmpd.conf \n-rw-r--r-- 1 root wheel 6993 Nov 4 09:16 /etc/snmp/snmpd.conf \n# \n \nThe same problem occurs when the provided package is installed with \n`pkg_add http://ftp.spline.de/pub/OpenBSD/5.8/packages/i386/net-snmp-5.7.3p0.tgz`: \n \n# ls -latr /etc/snmp/snmpd.conf \n-rw-r--r-- 1 root wheel 6993 Nov 4 08:37 /etc/snmp/snmpd.conf \n# \n \nThe snmpd configuration file is readable by a local user and contains \nthe credentials \nfor read-only and read-write access (for SNMPv1, SNMPv2 and SNMPv3 \nprotocols) and \ngives a local user unnecessary/dangerous access: \n \n \n[...] \n \nrocommunity public default -V systemonly \n#rocommunity secret 10.0.0.0/16 \nrouser authOnlyUser \n#rwuser authPrivUser priv \n \n[...] \n \nThis problem is OpenBSD-specific as the \n/var/db/pkg/net-snmp-5.7.3p0/+CONTENTS file confirms: \n@ts 1438958635 \n@sample /etc/snmp/snmpd.conf \n \nFuthermore, by default, `/usr/local/sbin/snmpd` runs as root. \n \n \n \n## Vendor Response \n \nThis problem has been fixed in the -STABLE and -CURRENT packages. \n \n \n \n## Report Timeline \n \n* Nov 04, 2015: Vulnerability found by Pierre Kim. \n* Nov 06, 2015: Stuart Henderson is notified of the vulnerability. \n* Nov 06, 2015: Stuart Henderson confirms the vulnerability and fixes \nthe package permissions for the sample configuration file in -current \nand -stable. \n* Nov 06, 2015: Stuart Henderson re-activates an option (can be \nconfigured with rc.conf.local) to run net-snmp as a separate uid to \nimprove security. \n* Nov 10, 2015: OSS-Security is contacted to get a CVE \n* Nov 10, 2015: cve-assign@mitre.org assigns CVE-2015-8100 \n* Nov 12, 2015: A public advisory is sent to security mailing lists. \n \n \n \n## Credit \n \nThis vulnerability was found by Pierre Kim (@PierreKimSec). \n \n \n \n## References \n \nhttps://pierrekim.github.io/advisories/CVE-2015-8100-openbsd-net-snmp.txt \nhttp://openports.se/net/net-snmp \n \n \n \n## Disclaimer \n \nThis advisory is licensed under a Creative Commons Attribution Non-Commercial \nShare-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/ \n \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1 \n \niQIcBAEBCgAGBQJWRKFEAAoJEMQ+Dtp9ky28Jq4P/iUv706dteWtl9HkPHkSVbql \nyO8ZJGnJtEXX3SOR5OKd07rxwP4W1gIYJtLSTUfEk+91LRpP8ZNgDIMDG1pIKS5l \n2S+6SQ+8yQXCcnm54KAc8DQM3tJHUp/RG8/6UR30V0v83ELnLmAX01BWOMEIvle2 \nN1cd59cPUZ4Qafee1p8wbyDWi1WBB1d89d7YKf3v78L34COTEBXPRLPs+DQCU7nD \nvmGzsFKcNjr8Hr2pq9aQmNmmuE82GtuEk3e1OKR5Pe4uYWoEAuFJOnswFjABDSch \n0wvWx1d6G2iOMwPIRLL+BXMgGzPpKB4KjgYPH/3OYJVXywKfEw0pBnu+Svb31/JV \nMVnnw6+fuunOLe7GxrI4M5FE2JfMD4CUiarFHRK6I5XDJm1dsvTHIsJUwA+9FTTH \n7kJY/xKHJ3YpjrKT2K2WAmvsJCTswkbvPr5LKNGgOLlUzVUetYo1hhGT6fo5ppQE \nRMpWkpX1DGJ+5RzlcLhLqguznv/SVwAA78TwailvF28LW2kSHJDOIpUht2xRdQ2Q \nJJZwcoO69qsterKF+UCcucWXDSjUjzI/Vrvm/aV+BAu4oKVG5QvVNplbHDYruLl5 \n9OMF1C5+z8GcQf27u1RG69VAOx66GnPFGTPUiaKfsgqfh3jEMJw3IlT1LBCAZao4 \nFXQizA+QOejXTiuHqYE9 \n=qkHs \n-----END PGP SIGNATURE----- \n \n-- \nPierre Kim \npierre.kim.sec@gmail.com \n@PierreKimSec \nhttps://pierrekim.github.io/ \n`\n", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/134323/openbsdnetsnmp-disclose.txt"}]}
