Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Nov 2015 06:35:21 +0900
From: Pierre Kim <pierre.kim.sec@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: net-snmp OpenBSD package - insecure file permission vulnerability

Hello,

I am contacting you to request a CVE about the OpenBSD net-snmp
package (/usr/ports/net/net-snmp, http://openports.se/net/net-snmp),
concerning an insecure file permission vulnerability.


After installing the net-snmp package, I noticed there is a security problem.

By default the permissions of the snmpd configuration file are 0644
instead of 0600:

  # cd /usr/ports/net/net-snmp
  # make install clean
  ===>  Installing net-snmp-5.7.3p0 from /usr/ports/packages/i386/all/
  net-snmp-5.7.3p0: ok
  The following new rcscripts were installed: /etc/rc.d/netsnmpd
/etc/rc.d/netsnmptrapd
  See rcctl(8) for details.
  ===>  Cleaning for net-snmp-5.7.3p0
  # ls -latr /etc/snmp/snmpd.conf
  -rw-r--r--  1 root  wheel  6993 Nov  4 09:16 /etc/snmp/snmpd.conf
  #

  # uname -ap
  OpenBSD foo.my.domain 5.8 GENERIC#1066 i386 i386
  #


The same problem occurs when the provided package is installed with
`pkg_add http://ftp.spline.de/pub/OpenBSD/5.8/packages/i386/net-snmp-5.7.3p0.tgz`:

  # ls -latr /etc/snmp/snmpd.conf
  -rw-r--r--  1 root  wheel  6993 Nov  4 08:37 /etc/snmp/snmpd.conf
  #

The snmpd configuration file is readable by a local user and contains
the credentials
for read-only and read-write access (for SNMPv1, SNMPv2 and SNMPv3
protocols) and gives a local user unnecessary/dangerous access:

  [...]

  rocommunity public  default    -V systemonly
  #rocommunity secret  10.0.0.0/16
  rouser   authOnlyUser
  #rwuser   authPrivUser   priv

  [...]

Futhermore, by default, `/usr/local/sbin/snmpd` runs as root.

This problem is OpenBSD-specific as the
/var/db/pkg/net-snmp-5.7.3p0/+CONTENTS file confirms:
  @ts 1438958635
  @sample /etc/snmp/snmpd.conf



Stuart Henderson, the OpenBSD package maintainer, confirmed the
problem and stated that the permissions for
the configuration file (/etc/snmp/snmpd.conf) are now fixed in
-current and -stable.

This issue was openbsd-specific and affected the net-snmp package/port
for years.

Regards,

-- 
Pierre Kim
pierre.kim.sec@...il.com
@PierreKimSec
https://pierrekim.github.io/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ