Your submission was sent successfully! Close

CVE-2008-6123

Published: 29 April 2009

The netsnmp_udp_fmtaddr function (snmplib/snmpUDPDomain.c) in net-snmp 5.0.9 through 5.4.2.1, when using TCP wrappers for client authorization, does not properly parse hosts.allow rules, which allows remote attackers to bypass intended access restrictions and execute SNMP queries, related to "source/destination IP address confusion."

Priority

Medium

Status

Package Release Status
net-snmp
Launchpad, Ubuntu, Debian
dapper Not vulnerable
(5.2.1.2-4ubuntu2.3)
gutsy Not vulnerable
(5.3.1-6ubuntu2.2)
hardy Not vulnerable
(5.4.1~dfsg-4ubuntu4.2)
intrepid Not vulnerable

jaunty Not vulnerable

karmic Not vulnerable

lucid
Released (5.4.2.1~dfsg0ubuntu1-0ubuntu2.1)
upstream Needs triage

Notes

AuthorNote
jdstrand
Gentoo reproducer does not work
mdeslaur
security issue was introduced in the following commits:
http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&revision=16654
so bug was introduced in 5.2.5, 5.3.2 and 5.4.2
kees
looks like now that 5.4.2 landed in lucid, it became vulnerable.

References

Bugs