Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Nov 2015 06:35:21 +0900
From: Pierre Kim <>
Subject: CVE request: net-snmp OpenBSD package - insecure file permission vulnerability


I am contacting you to request a CVE about the OpenBSD net-snmp
package (/usr/ports/net/net-snmp,,
concerning an insecure file permission vulnerability.

After installing the net-snmp package, I noticed there is a security problem.

By default the permissions of the snmpd configuration file are 0644
instead of 0600:

  # cd /usr/ports/net/net-snmp
  # make install clean
  ===>  Installing net-snmp-5.7.3p0 from /usr/ports/packages/i386/all/
  net-snmp-5.7.3p0: ok
  The following new rcscripts were installed: /etc/rc.d/netsnmpd
  See rcctl(8) for details.
  ===>  Cleaning for net-snmp-5.7.3p0
  # ls -latr /etc/snmp/snmpd.conf
  -rw-r--r--  1 root  wheel  6993 Nov  4 09:16 /etc/snmp/snmpd.conf

  # uname -ap
  OpenBSD 5.8 GENERIC#1066 i386 i386

The same problem occurs when the provided package is installed with

  # ls -latr /etc/snmp/snmpd.conf
  -rw-r--r--  1 root  wheel  6993 Nov  4 08:37 /etc/snmp/snmpd.conf

The snmpd configuration file is readable by a local user and contains
the credentials
for read-only and read-write access (for SNMPv1, SNMPv2 and SNMPv3
protocols) and gives a local user unnecessary/dangerous access:


  rocommunity public  default    -V systemonly
  #rocommunity secret
  rouser   authOnlyUser
  #rwuser   authPrivUser   priv


Futhermore, by default, `/usr/local/sbin/snmpd` runs as root.

This problem is OpenBSD-specific as the
/var/db/pkg/net-snmp-5.7.3p0/+CONTENTS file confirms:
  @ts 1438958635
  @sample /etc/snmp/snmpd.conf

Stuart Henderson, the OpenBSD package maintainer, confirmed the
problem and stated that the permissions for
the configuration file (/etc/snmp/snmpd.conf) are now fixed in
-current and -stable.

This issue was openbsd-specific and affected the net-snmp package/port
for years.


Pierre Kim

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ