Vigil@nce: Net-SNMP, bypassing tcpwrappers
February 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
When access restrictions to Net-SNMP are managed by tcpwrappers,
rules are incorrectly defined.
Gravity: 2/4
Consequences: data reading, data flow
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 12/02/2009
IMPACTED PRODUCTS
– Fedora
– Net-SNMP
DESCRIPTION OF THE VULNERABILITY
The tcpwrappers environment uses /etc/hosts.allow and
/etc/hosts.deny files to define IP addresses of computers allowed
to connect to a service. The service then uses functions of the
libwrap library, such as hosts_ctl() which checks if a session is
allowed.
The netsnmp_udp_fmtaddr() function of net-snmp/snmplib/snmpUDPDomain.c
generates a string which represents the current connection. This
function is used for logging, and also in host_ctl().
However, netsnmp_udp_fmtaddr() reverses source and destination IP
addresses. The rule used for host_ctl() is thus also reversed. For
example, if an IP address is blocked, it is in fact blocked as a
destination address, which does not forbid the connection from
this IP address.
When access restrictions to Net-SNMP are managed by tcpwrappers,
rules are therefore incorrectly defined.
CHARACTERISTICS
Identifiers: 250429, 485211, BID-33755, CVE-2008-6123,
FEDORA-2009-1769, VIGILANCE-VUL-8469
http://vigilance.fr/vulnerability/Net-SNMP-bypassing-tcpwrappers-8469