Date: Tue, 10 Nov 2015 06:35:21 +0900 From: Pierre Kim <pierre.kim.sec@...il.com> To: oss-security@...ts.openwall.com Subject: CVE request: net-snmp OpenBSD package - insecure file permission vulnerability Hello, I am contacting you to request a CVE about the OpenBSD net-snmp package (/usr/ports/net/net-snmp, http://openports.se/net/net-snmp), concerning an insecure file permission vulnerability. After installing the net-snmp package, I noticed there is a security problem. By default the permissions of the snmpd configuration file are 0644 instead of 0600: # cd /usr/ports/net/net-snmp # make install clean ===> Installing net-snmp-5.7.3p0 from /usr/ports/packages/i386/all/ net-snmp-5.7.3p0: ok The following new rcscripts were installed: /etc/rc.d/netsnmpd /etc/rc.d/netsnmptrapd See rcctl(8) for details. ===> Cleaning for net-snmp-5.7.3p0 # ls -latr /etc/snmp/snmpd.conf -rw-r--r-- 1 root wheel 6993 Nov 4 09:16 /etc/snmp/snmpd.conf # # uname -ap OpenBSD foo.my.domain 5.8 GENERIC#1066 i386 i386 # The same problem occurs when the provided package is installed with `pkg_add http://ftp.spline.de/pub/OpenBSD/5.8/packages/i386/net-snmp-5.7.3p0.tgz`: # ls -latr /etc/snmp/snmpd.conf -rw-r--r-- 1 root wheel 6993 Nov 4 08:37 /etc/snmp/snmpd.conf # The snmpd configuration file is readable by a local user and contains the credentials for read-only and read-write access (for SNMPv1, SNMPv2 and SNMPv3 protocols) and gives a local user unnecessary/dangerous access: [...] rocommunity public default -V systemonly #rocommunity secret 10.0.0.0/16 rouser authOnlyUser #rwuser authPrivUser priv [...] Futhermore, by default, `/usr/local/sbin/snmpd` runs as root. This problem is OpenBSD-specific as the /var/db/pkg/net-snmp-5.7.3p0/+CONTENTS file confirms: @ts 1438958635 @sample /etc/snmp/snmpd.conf Stuart Henderson, the OpenBSD package maintainer, confirmed the problem and stated that the permissions for the configuration file (/etc/snmp/snmpd.conf) are now fixed in -current and -stable. This issue was openbsd-specific and affected the net-snmp package/port for years. Regards, -- Pierre Kim pierre.kim.sec@...il.com @PierreKimSec https://pierrekim.github.io/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ