CVE-2008-6123

Publication date 29 April 2009

Last updated 24 July 2024

Ubuntu priority

Medium

Why this priority?

The netsnmp_udp_fmtaddr function (snmplib/snmpUDPDomain.c) in net-snmp 5.0.9 through 5.4.2.1, when using TCP wrappers for client authorization, does not properly parse hosts.allow rules, which allows remote attackers to bypass intended access restrictions and execute SNMP queries, related to "source/destination IP address confusion."

Read the notes from the security team

Status

Package Ubuntu Release Status
net-snmp 10.04 LTS lucid
Fixed 5.4.2.1~dfsg0ubuntu1-0ubuntu2.1
9.10 karmic
Not affected
9.04 jaunty
Not affected
8.10 intrepid
Not affected
8.04 LTS hardy
Not affected
7.10 gutsy
Not affected
6.06 LTS dapper
Not affected

Notes

jdstrand

Gentoo reproducer does not work

mdeslaur

security issue was introduced in the following commits: http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&revision=16654 so bug was introduced in 5.2.5, 5.3.2 and 5.4.2

kees

looks like now that 5.4.2 landed in lucid, it became vulnerable.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
net-snmp

References

Related Ubuntu Security Notices (USN)

    • USN-946-1
    • Net-SNMP vulnerability
    • 2 June 2010

Other references