Gravity: 2/4
 Consequences: denial of service of service
 Provenance: internet client
 Means of attack: no proof of concept, no attack
 Ability of attacker: expert (4/4)
 Confidence: confirmed by the editor (5/5)
 Diffusion of the vulnerable configuration: medium (2/3)
 Creation date: 08/09/2008
 Identifier: VIGILANCE-VUL-8094

IMPACTED PRODUCTS

 Net-SNMP [confidential versions]

DESCRIPTION

The snmplib library supports queries on IPv6. IPv6 addresses are formatted by following functions:
 netsnmp_tcp6_fmtaddr() of snmpTCPIPv6Domain.c
 netsnmp_udp6_fmtaddr() of snmpUDPIPv6Domain.c

However, these functions use a temporary array short of 10 characters. A non simplified IPv6 address (not containing zeros, such as 1111:2222:3333:4444:5555:6666:7777:8888) therefore create a buffer overflow in a sprintf() function.

This overflow stops applications linked to libsnmp. Code execution is difficult because only "0-9a-f:[]" characters are used.

CHARACTERISTICS

 Identifiers: VIGILANCE-VUL-8094
 Url: https://vigilance.aql.fr/tree/1/8094