COMMAND

	Net-SNMP denial-of-service vulnerability

SYSTEMS AFFECTED

	All  SNMP  daemon  based  on  the  Net-SNMP  package  5.0.1,  5.0.3  and
	5.0.4.pre2

PROBLEM

	In iDEFENSE Security Advisory [#20021002]  thanks  to  Andrew  Griffiths
	[andrewg@d2.net.au] research :
	

	The SNMP daemon included in the Net-SNMP package can be  crashed  if  it
	attempts to process a specially crafted  packet.  Exploitation  requires
	foreknowledge  of  a  known  SNMP  community  string  (either  read   or
	read/write). This issue potentially affects  any  Net-SNMP  installation
	in which the "public" read-only community string has not been changed.
	

	 ANALYSIS

	

	By sending the SNMP  daemon  a  packet  without  having  first  setup  a
	session,  a  vulnerability  in  the  following  segment  of  code   from
	agent/snmp_agent.c,   handle_var_requests(),   line   1,876,   can    be
	exploited:
	

	    for (i = 0; i <= asp->treecache_num; i++) {

	        reginfo = asp->treecache[i].subtree->reginfo;

	        status = netsnmp_call_handlers(reginfo, asp->reqinfo,

	                     asp->treecache[i].requests_begin);

	

	Despite  the  fact  that  "asp->treecache_num"  is  NULL,  the   "<="
	comparison in the for() loop  allows  entry  into  the  block.  At  this
	point, the SNMP daemon attempts to de-reference a NULL  pointer  leading
	to a SIGSEGV. Since the SNMP daemon must parse  the  attack  packet,  an
	attacker must pass the appropriate ACL (public/read is sufficient).

SOLUTION

	Net-SNMP  5.0.5  has   been   released   which   fixes   the   described
	vulnerability. It is available at
	

	 http://sourceforge.net/project/showfiles.php?group_id=12694