Date: Tue, 10 Nov 2015 06:35:21 +0900 From: Pierre Kim <pierre.kim.sec@...il.com> To: oss-security@...ts.openwall.com Subject: CVE request: net-snmp OpenBSD package - insecure file permission vulnerability Hello, I am contacting you to request a CVE about the OpenBSD net-snmp package (/usr/ports/net/net-snmp, http://openports.se/net/net-snmp), concerning an insecure file permission vulnerability. After installing the net-snmp package, I noticed there is a security problem. By default the permissions of the snmpd configuration file are 0644 instead of 0600: # cd /usr/ports/net/net-snmp # make install clean ===> Installing net-snmp-5.7.3p0 from /usr/ports/packages/i386/all/ net-snmp-5.7.3p0: ok The following new rcscripts were installed: /etc/rc.d/netsnmpd /etc/rc.d/netsnmptrapd See rcctl(8) for details. ===> Cleaning for net-snmp-5.7.3p0 # ls -latr /etc/snmp/snmpd.conf -rw-r--r-- 1 root wheel 6993 Nov 4 09:16 /etc/snmp/snmpd.conf # # uname -ap OpenBSD foo.my.domain 5.8 GENERIC#1066 i386 i386 # The same problem occurs when the provided package is installed with `pkg_add http://ftp.spline.de/pub/OpenBSD/5.8/packages/i386/net-snmp-5.7.3p0.tgz`: # ls -latr /etc/snmp/snmpd.conf -rw-r--r-- 1 root wheel 6993 Nov 4 08:37 /etc/snmp/snmpd.conf # The snmpd configuration file is readable by a local user and contains the credentials for read-only and read-write access (for SNMPv1, SNMPv2 and SNMPv3 protocols) and gives a local user unnecessary/dangerous access: [...] rocommunity public default -V systemonly #rocommunity secret 10.0.0.0/16 rouser authOnlyUser #rwuser authPrivUser priv [...] Futhermore, by default, `/usr/local/sbin/snmpd` runs as root. This problem is OpenBSD-specific as the /var/db/pkg/net-snmp-5.7.3p0/+CONTENTS file confirms: @ts 1438958635 @sample /etc/snmp/snmpd.conf Stuart Henderson, the OpenBSD package maintainer, confirmed the problem and stated that the permissions for the configuration file (/etc/snmp/snmpd.conf) are now fixed in -current and -stable. This issue was openbsd-specific and affected the net-snmp package/port for years. Regards, -- Pierre Kim pierre.kim.sec@...il.com @PierreKimSec https://pierrekim.github.io/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.