Vigil@nce: Net-SNMP, denial of service
September 2008 by Vigil@nce
An attacker can use IPv6 packets in order to create a denial of
service in snmplib.
– Gravity: 2/4
– Consequences: denial of service of service
– Provenance: internet client
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: medium (2/3)
– Creation date: 08/09/2008
– Identifier: VIGILANCE-VUL-8094
IMPACTED PRODUCTS
– Net-SNMP [confidential versions]
DESCRIPTION
The snmplib library supports queries on IPv6. IPv6 addresses are
formatted by following functions:
– netsnmp_tcp6_fmtaddr() of snmpTCPIPv6Domain.c
– netsnmp_udp6_fmtaddr() of snmpUDPIPv6Domain.c
However, these functions use a temporary array short of 10
characters. A non simplified IPv6 address (not containing zeros,
such as 1111:2222:3333:4444:5555:6666:7777:8888) therefore create
a buffer overflow in a sprintf() function.
This overflow stops applications linked to libsnmp. Code execution
is difficult because only "0-9a-f:[]" characters are used.
CHARACTERISTICS
– Identifiers: VIGILANCE-VUL-8094
– Url: https://vigilance.aql.fr/tree/1/8094