Bug 27034 - net-snmp new security issues CVE-2019-20892, CVE-2020-15861, and CVE-2020-15862
Summary: net-snmp new security issues CVE-2019-20892, CVE-2020-15861, and CVE-2020-15862
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: feedback
Depends on:
Blocks: 25747
  Show dependency treegraph
 
Reported: 2020-08-04 23:52 CEST by David Walser
Modified: 2020-09-19 01:06 CEST (History)
5 users (show)

See Also:
Source RPM: net-snmp-5.8-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-08-04 23:52:51 CEST
Debian-LTS has issued advisories on July 30 and today (August 4):
https://www.debian.org/lts/security/2020/dla-2299
https://www.debian.org/lts/security/2020/dla-2313

I think the first advisory is related to CVE-2020-15862 as well.

Mageia 7 is also affected.
David Walser 2020-08-04 23:52:58 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-08-05 20:00:50 CEST
No fixed maintainer for this, so assigning it globally. CC'ing DavidG as having done a couple of relatively recent upates.

CC: (none) => geiger.david68210
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2020-08-21 20:37:47 CEST
Debian has issued an advisory for this on August 15:
https://www.debian.org/security/2020/dsa-4746
David Walser 2020-08-22 18:16:28 CEST

CC: (none) => guillomovitch

Comment 3 David Walser 2020-08-27 22:37:19 CEST
Ubuntu has issued an advisory for this on August 24:
https://ubuntu.com/security/notices/USN-4471-1
Comment 4 David Walser 2020-08-31 01:06:21 CEST
Whenever we fix this, it'll also include the fixes from Bug 25747.
Comment 5 Nicolas Salguero 2020-09-02 11:17:26 CEST
Suggested advisory:
========================

The updated packages try to fix an issue when /dev/kmem is absent and fix security vulnerabilities:

Net-SNMP through 5.7.3 allows Escalation of Privileges because of UNIX symbolic link (symlink) following. (CVE-2020-15861)

Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB provides the ability to run arbitrary commands as root. (CVE-2020-15862)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15861
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15862
https://www.debian.org/lts/security/2020/dla-2299
https://www.debian.org/lts/security/2020/dla-2313
https://www.debian.org/security/2020/dsa-4746
https://ubuntu.com/security/notices/USN-4471-1
https://bugs.mageia.org/show_bug.cgi?id=25747
========================

Updated packages in core/updates_testing:
========================
net-snmp-5.8-2.3.mga7
lib(64)net-snmp35-5.8-2.3.mga7
lib(64)net-snmp-devel-5.8-2.3.mga7
net-snmp-utils-5.8-2.3.mga7
net-snmp-tkmib-5.8-2.3.mga7
net-snmp-mibs-5.8-2.3.mga7
net-snmp-trapd-5.8-2.3.mga7
perl-NetSNMP-5.8-2.3.mga7
python-netsnmp-5.8-2.3.mga7

from SRPM:
net-snmp-5.8-2.3.mga7.src.rpm

Status: NEW => ASSIGNED
Whiteboard: MGA7TOO => (none)
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
Source RPM: net-snmp-5.8-10.mga8.src.rpm => net-snmp-5.8-2.mga7.src.rpm
Version: Cauldron => 7

Comment 6 David Walser 2020-09-03 21:57:06 CEST
(In reply to David Walser from comment #3)
> Ubuntu has issued an advisory for this on August 24:
> https://ubuntu.com/security/notices/USN-4471-1

Ubuntu has fixed regressions in this update:
https://ubuntu.com/security/notices/USN-4471-2
Comment 7 Nicolas Salguero 2020-09-04 08:35:37 CEST
The code provided by the new patch is already present in version 5.8 (it is only needed by older versions).
Comment 8 David Walser 2020-09-07 19:40:18 CEST
I fixed an additional issue that Ubuntu issued an advisory for on July 2, that I just realized affected us too:
https://ubuntu.com/security/notices/USN-4410-1

Advisory:
========================

Updated net-snmp packages fix security vulnerabilities:

net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in
snmplib/snmpusm.c via an SNMPv3 GetBulk request (CVE-2019-20892).

Net-SNMP through 5.7.3 allows Escalation of Privileges because of UNIX symbolic
link (symlink) following (CVE-2020-15861).

Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE
access to the EXTEND MIB provides the ability to run arbitrary commands as
root (CVE-2020-15862).

The update also fixes an issue when /dev/kmem is not present.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20892
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15861
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15862
https://www.debian.org/lts/security/2020/dla-2299
https://www.debian.org/lts/security/2020/dla-2313
https://www.debian.org/security/2020/dsa-4746
https://ubuntu.com/security/notices/USN-4410-1
https://ubuntu.com/security/notices/USN-4471-1
https://bugs.mageia.org/show_bug.cgi?id=25747
https://bugs.mageia.org/show_bug.cgi?id=27034
========================

Updated packages in core/updates_testing:
========================
net-snmp-5.8-2.5.mga7
libnet-snmp35-5.8-2.5.mga7
libnet-snmp-devel-5.8-2.5.mga7
net-snmp-utils-5.8-2.5.mga7
net-snmp-tkmib-5.8-2.5.mga7
net-snmp-mibs-5.8-2.5.mga7
net-snmp-trapd-5.8-2.5.mga7
perl-NetSNMP-5.8-2.5.mga7
python-netsnmp-5.8-2.5.mga7

from net-snmp-5.8-2.5.mga7.src.rpm

Summary: net-snmp new security issues CVE-2020-15861 and CVE-2020-15862 => net-snmp new security issues CVE-2019-20892, CVE-2020-15861, and CVE-2020-15862
Blocks: (none) => 25747

Comment 9 Len Lawrence 2020-09-13 01:38:51 CEST
Just starting on this.  No PoCs have been disclosed it appears.
Found something a bit strange on installing the pre-update packages.
net-snmp-5.8-2 installed OK but lib64net-snmp35-5.8-2.5 was already installed so had to be downgraded.  Must have been pulled in by something else at some stage.
The devel package required a choice between 3 versions of liblua (lua was tested recently).  lua5.2 is installed so that fixed the choice and hauled in another 19 packages.  
$ rpm -qa | grep -i snmp | grep -i net
perl-NetSNMP-5.8-2.mga7
python-netsnmp-5.8-2.mga7
net-snmp-tkmib-5.8-2.mga7
net-snmp-utils-5.8-2.mga7
net-snmp-mibs-5.8-2.mga7
net-snmp-trapd-5.8-2.mga7
net-snmp-5.8-2.mga7
lib64net-snmp-devel-5.8-2.mga7
lib64net-snmp35-5.8-2.mga7

Continuing this later.

CC: (none) => tarazed25

Comment 10 Len Lawrence 2020-09-13 11:06:22 CEST
Consulted man pages and an online tutorial but got lost rapidly as the tutorial expanded into different subfields requiring other tutorials, all unfamiliar territory.  The tkmib command displayed a gui - no idea what to do with it though; there is a downloaded MIB file in .snmp/mibs/.

The nine packages updated cleanly.

Trying to start snmpd failed before and after the updates because /dev/kmem does not exist.  If that is the issue referred to in comment 8 then this update does not cure it.

Passing this back to the experts.
Comment 11 Len Lawrence 2020-09-13 11:35:49 CEST
The net-snmp-utils are listed at https://www.mankier.com/package/net-snmp-utils.
Comment 12 Len Lawrence 2020-09-13 11:39:03 CEST
$ ls /usr/bin/snmp*
/usr/bin/snmp-bridge-mib*  /usr/bin/snmpinform@   /usr/bin/snmptls*
/usr/bin/snmpbulkget*      /usr/bin/snmpnetstat*  /usr/bin/snmptop@
/usr/bin/snmpbulkwalk*     /usr/bin/snmpping*     /usr/bin/snmptranslate*
/usr/bin/snmpconf*         /usr/bin/snmpps*       /usr/bin/snmptrap*
/usr/bin/snmpdelta*        /usr/bin/snmpset*      /usr/bin/snmpusm*
/usr/bin/snmpdf*           /usr/bin/snmpstatus*   /usr/bin/snmpvacm*
/usr/bin/snmpget*          /usr/bin/snmptable*    /usr/bin/snmpwalk*
/usr/bin/snmpgetnext*      /usr/bin/snmptest*
Comment 13 Herman Viaene 2020-09-14 14:51:39 CEST
MGA7-64 Plasma onLenovo B50
No installation issues.
Taking lead from Len's bug 22775 Comment 6.
After installation
]# systemctl status snmpd
● snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
   Loaded: loaded (/usr/lib/systemd/system/snmpd.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
[root@mach5 ~]# systemctl start snmpd 
Job for snmpd.service failed because the control process exited with error code.
See "systemctl status snmpd.service" and "journalctl -xe" for details.
[root@mach5 ~]# journalctl -xe
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- The unit run-r2ad0332468ca4a62b319a9f4ee3022b6.service has successfully entered the 'dead' state.
Sep 14 14:35:55 mach5.hviaene.thuis kwin_x11[11420]: qt.qpa.xcb: QXcbConnection: XCB error: 3 (BadWindow), sequence: 16771, resource id: 132168997, major code: 15 (Qu>
Sep 14 14:35:59 mach5.hviaene.thuis kernel: net-fw DROP IN=wlp9s0 OUT= MAC=b4:6d:83:0d:0c:14:34:31:c4:80:a9:b4:08:00 SRC=192.168.2.15 DST=192.168.2.5 LEN=60 TOS=0x00 >
Sep 14 14:36:00 mach5.hviaene.thuis kernel: net-fw DROP IN=wlp9s0 OUT= MAC=b4:6d:83:0d:0c:14:34:31:c4:80:a9:b4:08:00 SRC=192.168.2.15 DST=192.168.2.5 LEN=60 TOS=0x00 >
Sep 14 14:36:02 mach5.hviaene.thuis kernel: net-fw DROP IN=wlp9s0 OUT= MAC=b4:6d:83:0d:0c:14:34:31:c4:80:a9:b4:08:00 SRC=192.168.2.15 DST=192.168.2.5 LEN=60 TOS=0x00 >
Sep 14 14:36:06 mach5.hviaene.thuis kernel: net-fw DROP IN=wlp9s0 OUT= MAC=b4:6d:83:0d:0c:14:34:31:c4:80:a9:b4:08:00 SRC=192.168.2.15 DST=192.168.2.5 LEN=60 TOS=0x00 >
Sep 14 14:36:59 mach5.hviaene.thuis systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon....
-- Subject: A start job for unit snmpd.service has begun execution
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- A start job for unit snmpd.service has begun execution.
-- 
-- The job identifier is 2621.
Sep 14 14:36:59 mach5.hviaene.thuis snmpd[1971]: /dev/kmem: No such file or directory
Sep 14 14:36:59 mach5.hviaene.thuis snmpd[1971]: Agent initialization failed
This just confirms the issue raised by Len above.
Googling the error brings me to unknown territory. One suggesttion I could understand : compilation with the CONFIG_DEVKMEM kernel configuration option not enabled. Leaving to thr real specialists.

CC: (none) => herman.viaene

Comment 14 David Walser 2020-09-14 17:26:25 CEST
Sounds like 15861 is a symlink attack from caching mibs in /tmp and probably doesn't really affect us due to protected_symlinks.

15862 is described here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965166

20892 has a PoC at the bottom of:
https://www.openwall.com/lists/oss-security/2020/06/25/4

So we could check those two issues and adjust the advisory if the kmem issue isn't fixed.
Comment 15 Len Lawrence 2020-09-14 18:34:33 CEST
There may not be much QA can do with these, especially without a server.
The snmpd service is supposed to start at boot here but without /dev/kmem it looks like we are at an impasse.
The PoC for 20892 appears to be a formal example.  There are names for what could be certificates for instance.  The format of the bulkget command would be understood by an SNMP user, who could provide realistic arguments.  As is, the command simply times out after several seconds.
Comment 16 Len Lawrence 2020-09-14 18:50:24 CEST
@Herman - comment 14
This is dev territory.
$ sudo sysctl -a | grep dev.kmem
comes up blank.
Comment 17 David Walser 2020-09-14 18:57:46 CEST
Yeah, I think kmem itself is a kernel thing.  It looks like nobody added the option suggested here:
https://bugs.mageia.org/show_bug.cgi?id=25747#c21

Keywords: (none) => feedback

Comment 18 Len Lawrence 2020-09-14 20:55:53 CEST
And see https://lwn.net/Articles/147901/.
If /dev/kmem has potential security issues then comment 17 is very relevant.
Comment 19 Guillaume Rousse 2020-09-16 17:24:27 CEST
I just submitted a new build in update_testing, with kmem support disabled, as with Cauldron package.
Comment 20 David Walser 2020-09-16 17:43:23 CEST
Thanks Guillaume!  New package list below.

net-snmp-5.8-2.6.mga7
libnet-snmp35-5.8-2.6.mga7
libnet-snmp-devel-5.8-2.6.mga7
net-snmp-utils-5.8-2.6.mga7
net-snmp-tkmib-5.8-2.6.mga7
net-snmp-mibs-5.8-2.6.mga7
net-snmp-trapd-5.8-2.6.mga7
perl-NetSNMP-5.8-2.6.mga7
python-netsnmp-5.8-2.6.mga7

from net-snmp-5.8-2.6.mga7.src.rpm

Keywords: feedback => (none)

Comment 21 Herman Viaene 2020-09-18 14:38:32 CEST
Sorry, after installation and double checking on the version:
# systemctl status snmpd
● snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
   Loaded: loaded (/usr/lib/systemd/system/snmpd.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

# systemctl start snmpd
Job for snmpd.service failed because the control process exited with error code.
See "systemctl status snmpd.service" and "journalctl -xe" for details.

# systemctl status snmpd
● snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
   Loaded: loaded (/usr/lib/systemd/system/snmpd.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2020-09-18 14:31:10 CEST; 7s ago
  Process: 31017 ExecStart=/usr/sbin/snmpd $OPTIONS -f (code=exited, status=1/FAILURE)
 Main PID: 31017 (code=exited, status=1/FAILURE)

Sep 18 14:31:10 mach5.hviaene.thuis systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon....
Sep 18 14:31:10 mach5.hviaene.thuis snmpd[31017]: /dev/kmem: No such file or directory
Sep 18 14:31:10 mach5.hviaene.thuis snmpd[31017]: Agent initialization failed
Sep 18 14:31:10 mach5.hviaene.thuis systemd[1]: snmpd.service: Main process exited, code=exited, status=1/FAILURE
Sep 18 14:31:10 mach5.hviaene.thuis systemd[1]: snmpd.service: Failed with result 'exit-code'.
Sep 18 14:31:10 mach5.hviaene.thuis systemd[1]: Failed to start Simple Network Management Protocol (SNMP) Daemon..
Comment 22 Len Lawrence 2020-09-18 17:25:42 CEST
Referencing comments 21 and 19:
Out of curiosity I tried this out on Cauldron and saw exactly the same error as before: /dev/kmem/ no such file......
Len Lawrence 2020-09-19 01:06:12 CEST

Keywords: (none) => feedback


Note You need to log in before you can comment on or make changes to this bug.