Note: This is an archival copy of Security Sun Alert 201266 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000949.1.
Article ID : 1000949.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-06-03
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability With snmpd(1M) When Processing Certain AgentX Subagent Requests

Category
Security

Release Phase
Resolved

Product
Solaris 10 Operating System

Bug Id
6314978

Date of Workaround Release
24-MAY-2007

Date of Resolved Release
04-JUN-2007

Impact

When the System Management Agent (SMA) SNMP daemon (snmpd(1M)) is running in "master agentx" mode, a security vulnerability may allow a local or remote unprivileged user to create a Denial of Service (DoS) condition by causing a particular TCP disconnect.

This issue is described in the following document:

CVE-2005-4837 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4837


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 without patch 120272-07

x86 Platform

  • Solaris 10 without patch 120273-08

Notes:

  1. Solaris 8 and Solaris 9 do not ship with the Net-SNMP software and thus are not impacted by this issue.
  2. The Net-SNMP software was not bundled with Solaris prior to Solaris 10. However, customers who have built and/or installed a vulnerable version of Net-SNMP on any version of Solaris are at risk. (See the Net-SNMP web site to download the latest version of Net-SNMP which addresses this issue).
  3. The Solaris 10 patches which address this vulnerability do not increment the version of Net-SNMP. The version of Net-SNMP supplied with the patches will still be reported as 5.0.9.

This issue only affects systems which have the SUNWsmagt package installed and AgentX is enabled. To determine if the SUNWsmagt package is installed on the system, the following command can be run:

    $ pkginfo -l SUNWsmagt
    PKGINST: SUNWsmagt
    NAME: System Management Agent files and libraries
    CATEGORY: system
    VERSION: 1.0,REV=2005.01.08.05.16

To confirm the version of Net-SNMP installed on the system, the following command can be run:

    $ /usr/sfw/sbin/snmpd -v
    NET-SNMP version:  5.0.9
    Web:   http://www.net-snmp.org/
    Email: net-snmp-coders@lists.sourceforge.net

If the version reported is 5.0.9 or earlier and the above patch is not installed then the described issue may occur.

By default, AgentX support is turned off. This issue will only occur if AgentX support is enabled explicitly. To determine if AgentX support is enabled, the following command can be run (as 'root'):

    # grep agentx /etc/sma/snmp/snmpd.conf
    master agentx

The above output indicates AgentX support is enabled and snmpd(1M) is vulnerable. If the above command produces no output, then snmpd(1M) is not vulnerable.


Symptoms

Should the described issue occur, snmpd(1M) will core dump.


Workaround

To work around the described issue, disable AgentX support by commenting out the "master agentx" entry in the "/etc/sma/snmp/snmpd.conf" file, as in the following example:

    #master agentx

then restart SMA with the following command:

    # /etc/init.d/init.sma restart

Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 120272-07 or later

x86 Platform

  • Solaris 10 with patch 120273-08 or later


Modification History
Date: 04-JUN-2007
  • Updated Contributing Factors and Resolution sections
  • State: Resolved

 



References

120272-07
120273-08




Attachments
This solution has no attachment