Debian-LTS has issued advisories on July 30 and today (August 4): https://www.debian.org/lts/security/2020/dla-2299 https://www.debian.org/lts/security/2020/dla-2313 I think the first advisory is related to CVE-2020-15862 as well. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
No fixed maintainer for this, so assigning it globally. CC'ing DavidG as having done a couple of relatively recent upates.
CC: (none) => geiger.david68210Assignee: bugsquad => pkg-bugs
Debian has issued an advisory for this on August 15: https://www.debian.org/security/2020/dsa-4746
CC: (none) => guillomovitch
Ubuntu has issued an advisory for this on August 24: https://ubuntu.com/security/notices/USN-4471-1
Whenever we fix this, it'll also include the fixes from Bug 25747.
Suggested advisory: ======================== The updated packages try to fix an issue when /dev/kmem is absent and fix security vulnerabilities: Net-SNMP through 5.7.3 allows Escalation of Privileges because of UNIX symbolic link (symlink) following. (CVE-2020-15861) Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB provides the ability to run arbitrary commands as root. (CVE-2020-15862) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15861 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15862 https://www.debian.org/lts/security/2020/dla-2299 https://www.debian.org/lts/security/2020/dla-2313 https://www.debian.org/security/2020/dsa-4746 https://ubuntu.com/security/notices/USN-4471-1 https://bugs.mageia.org/show_bug.cgi?id=25747 ======================== Updated packages in core/updates_testing: ======================== net-snmp-5.8-2.3.mga7 lib(64)net-snmp35-5.8-2.3.mga7 lib(64)net-snmp-devel-5.8-2.3.mga7 net-snmp-utils-5.8-2.3.mga7 net-snmp-tkmib-5.8-2.3.mga7 net-snmp-mibs-5.8-2.3.mga7 net-snmp-trapd-5.8-2.3.mga7 perl-NetSNMP-5.8-2.3.mga7 python-netsnmp-5.8-2.3.mga7 from SRPM: net-snmp-5.8-2.3.mga7.src.rpm
CC: (none) => nicolas.salgueroWhiteboard: MGA7TOO => (none)Status: NEW => ASSIGNEDVersion: Cauldron => 7Source RPM: net-snmp-5.8-10.mga8.src.rpm => net-snmp-5.8-2.mga7.src.rpmAssignee: pkg-bugs => qa-bugs
(In reply to David Walser from comment #3) > Ubuntu has issued an advisory for this on August 24: > https://ubuntu.com/security/notices/USN-4471-1 Ubuntu has fixed regressions in this update: https://ubuntu.com/security/notices/USN-4471-2
The code provided by the new patch is already present in version 5.8 (it is only needed by older versions).
I fixed an additional issue that Ubuntu issued an advisory for on July 2, that I just realized affected us too: https://ubuntu.com/security/notices/USN-4410-1 Advisory: ======================== Updated net-snmp packages fix security vulnerabilities: net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request (CVE-2019-20892). Net-SNMP through 5.7.3 allows Escalation of Privileges because of UNIX symbolic link (symlink) following (CVE-2020-15861). Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB provides the ability to run arbitrary commands as root (CVE-2020-15862). The update also fixes an issue when /dev/kmem is not present. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20892 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15861 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15862 https://www.debian.org/lts/security/2020/dla-2299 https://www.debian.org/lts/security/2020/dla-2313 https://www.debian.org/security/2020/dsa-4746 https://ubuntu.com/security/notices/USN-4410-1 https://ubuntu.com/security/notices/USN-4471-1 https://bugs.mageia.org/show_bug.cgi?id=25747 https://bugs.mageia.org/show_bug.cgi?id=27034 ======================== Updated packages in core/updates_testing: ======================== net-snmp-5.8-2.5.mga7 libnet-snmp35-5.8-2.5.mga7 libnet-snmp-devel-5.8-2.5.mga7 net-snmp-utils-5.8-2.5.mga7 net-snmp-tkmib-5.8-2.5.mga7 net-snmp-mibs-5.8-2.5.mga7 net-snmp-trapd-5.8-2.5.mga7 perl-NetSNMP-5.8-2.5.mga7 python-netsnmp-5.8-2.5.mga7 from net-snmp-5.8-2.5.mga7.src.rpm
Blocks: (none) => 25747Summary: net-snmp new security issues CVE-2020-15861 and CVE-2020-15862 => net-snmp new security issues CVE-2019-20892, CVE-2020-15861, and CVE-2020-15862
Just starting on this. No PoCs have been disclosed it appears. Found something a bit strange on installing the pre-update packages. net-snmp-5.8-2 installed OK but lib64net-snmp35-5.8-2.5 was already installed so had to be downgraded. Must have been pulled in by something else at some stage. The devel package required a choice between 3 versions of liblua (lua was tested recently). lua5.2 is installed so that fixed the choice and hauled in another 19 packages. $ rpm -qa | grep -i snmp | grep -i net perl-NetSNMP-5.8-2.mga7 python-netsnmp-5.8-2.mga7 net-snmp-tkmib-5.8-2.mga7 net-snmp-utils-5.8-2.mga7 net-snmp-mibs-5.8-2.mga7 net-snmp-trapd-5.8-2.mga7 net-snmp-5.8-2.mga7 lib64net-snmp-devel-5.8-2.mga7 lib64net-snmp35-5.8-2.mga7 Continuing this later.
CC: (none) => tarazed25
Consulted man pages and an online tutorial but got lost rapidly as the tutorial expanded into different subfields requiring other tutorials, all unfamiliar territory. The tkmib command displayed a gui - no idea what to do with it though; there is a downloaded MIB file in .snmp/mibs/. The nine packages updated cleanly. Trying to start snmpd failed before and after the updates because /dev/kmem does not exist. If that is the issue referred to in comment 8 then this update does not cure it. Passing this back to the experts.
The net-snmp-utils are listed at https://www.mankier.com/package/net-snmp-utils.
$ ls /usr/bin/snmp* /usr/bin/snmp-bridge-mib* /usr/bin/snmpinform@ /usr/bin/snmptls* /usr/bin/snmpbulkget* /usr/bin/snmpnetstat* /usr/bin/snmptop@ /usr/bin/snmpbulkwalk* /usr/bin/snmpping* /usr/bin/snmptranslate* /usr/bin/snmpconf* /usr/bin/snmpps* /usr/bin/snmptrap* /usr/bin/snmpdelta* /usr/bin/snmpset* /usr/bin/snmpusm* /usr/bin/snmpdf* /usr/bin/snmpstatus* /usr/bin/snmpvacm* /usr/bin/snmpget* /usr/bin/snmptable* /usr/bin/snmpwalk* /usr/bin/snmpgetnext* /usr/bin/snmptest*
MGA7-64 Plasma onLenovo B50 No installation issues. Taking lead from Len's bug 22775 Comment 6. After installation ]# systemctl status snmpd ● snmpd.service - Simple Network Management Protocol (SNMP) Daemon. Loaded: loaded (/usr/lib/systemd/system/snmpd.service; disabled; vendor preset: disabled) Active: inactive (dead) [root@mach5 ~]# systemctl start snmpd Job for snmpd.service failed because the control process exited with error code. See "systemctl status snmpd.service" and "journalctl -xe" for details. [root@mach5 ~]# journalctl -xe -- Defined-By: systemd -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- The unit run-r2ad0332468ca4a62b319a9f4ee3022b6.service has successfully entered the 'dead' state. Sep 14 14:35:55 mach5.hviaene.thuis kwin_x11[11420]: qt.qpa.xcb: QXcbConnection: XCB error: 3 (BadWindow), sequence: 16771, resource id: 132168997, major code: 15 (Qu> Sep 14 14:35:59 mach5.hviaene.thuis kernel: net-fw DROP IN=wlp9s0 OUT= MAC=b4:6d:83:0d:0c:14:34:31:c4:80:a9:b4:08:00 SRC=192.168.2.15 DST=192.168.2.5 LEN=60 TOS=0x00 > Sep 14 14:36:00 mach5.hviaene.thuis kernel: net-fw DROP IN=wlp9s0 OUT= MAC=b4:6d:83:0d:0c:14:34:31:c4:80:a9:b4:08:00 SRC=192.168.2.15 DST=192.168.2.5 LEN=60 TOS=0x00 > Sep 14 14:36:02 mach5.hviaene.thuis kernel: net-fw DROP IN=wlp9s0 OUT= MAC=b4:6d:83:0d:0c:14:34:31:c4:80:a9:b4:08:00 SRC=192.168.2.15 DST=192.168.2.5 LEN=60 TOS=0x00 > Sep 14 14:36:06 mach5.hviaene.thuis kernel: net-fw DROP IN=wlp9s0 OUT= MAC=b4:6d:83:0d:0c:14:34:31:c4:80:a9:b4:08:00 SRC=192.168.2.15 DST=192.168.2.5 LEN=60 TOS=0x00 > Sep 14 14:36:59 mach5.hviaene.thuis systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon.... -- Subject: A start job for unit snmpd.service has begun execution -- Defined-By: systemd -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- A start job for unit snmpd.service has begun execution. -- -- The job identifier is 2621. Sep 14 14:36:59 mach5.hviaene.thuis snmpd[1971]: /dev/kmem: No such file or directory Sep 14 14:36:59 mach5.hviaene.thuis snmpd[1971]: Agent initialization failed This just confirms the issue raised by Len above. Googling the error brings me to unknown territory. One suggesttion I could understand : compilation with the CONFIG_DEVKMEM kernel configuration option not enabled. Leaving to thr real specialists.
CC: (none) => herman.viaene
Sounds like 15861 is a symlink attack from caching mibs in /tmp and probably doesn't really affect us due to protected_symlinks. 15862 is described here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965166 20892 has a PoC at the bottom of: https://www.openwall.com/lists/oss-security/2020/06/25/4 So we could check those two issues and adjust the advisory if the kmem issue isn't fixed.
There may not be much QA can do with these, especially without a server. The snmpd service is supposed to start at boot here but without /dev/kmem it looks like we are at an impasse. The PoC for 20892 appears to be a formal example. There are names for what could be certificates for instance. The format of the bulkget command would be understood by an SNMP user, who could provide realistic arguments. As is, the command simply times out after several seconds.
@Herman - comment 14 This is dev territory. $ sudo sysctl -a | grep dev.kmem comes up blank.
Yeah, I think kmem itself is a kernel thing. It looks like nobody added the option suggested here: https://bugs.mageia.org/show_bug.cgi?id=25747#c21
Keywords: (none) => feedback
And see https://lwn.net/Articles/147901/. If /dev/kmem has potential security issues then comment 17 is very relevant.
I just submitted a new build in update_testing, with kmem support disabled, as with Cauldron package.
Thanks Guillaume! New package list below. net-snmp-5.8-2.6.mga7 libnet-snmp35-5.8-2.6.mga7 libnet-snmp-devel-5.8-2.6.mga7 net-snmp-utils-5.8-2.6.mga7 net-snmp-tkmib-5.8-2.6.mga7 net-snmp-mibs-5.8-2.6.mga7 net-snmp-trapd-5.8-2.6.mga7 perl-NetSNMP-5.8-2.6.mga7 python-netsnmp-5.8-2.6.mga7 from net-snmp-5.8-2.6.mga7.src.rpm
Keywords: feedback => (none)
Sorry, after installation and double checking on the version: # systemctl status snmpd ● snmpd.service - Simple Network Management Protocol (SNMP) Daemon. Loaded: loaded (/usr/lib/systemd/system/snmpd.service; disabled; vendor preset: disabled) Active: inactive (dead) # systemctl start snmpd Job for snmpd.service failed because the control process exited with error code. See "systemctl status snmpd.service" and "journalctl -xe" for details. # systemctl status snmpd ● snmpd.service - Simple Network Management Protocol (SNMP) Daemon. Loaded: loaded (/usr/lib/systemd/system/snmpd.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Fri 2020-09-18 14:31:10 CEST; 7s ago Process: 31017 ExecStart=/usr/sbin/snmpd $OPTIONS -f (code=exited, status=1/FAILURE) Main PID: 31017 (code=exited, status=1/FAILURE) Sep 18 14:31:10 mach5.hviaene.thuis systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon.... Sep 18 14:31:10 mach5.hviaene.thuis snmpd[31017]: /dev/kmem: No such file or directory Sep 18 14:31:10 mach5.hviaene.thuis snmpd[31017]: Agent initialization failed Sep 18 14:31:10 mach5.hviaene.thuis systemd[1]: snmpd.service: Main process exited, code=exited, status=1/FAILURE Sep 18 14:31:10 mach5.hviaene.thuis systemd[1]: snmpd.service: Failed with result 'exit-code'. Sep 18 14:31:10 mach5.hviaene.thuis systemd[1]: Failed to start Simple Network Management Protocol (SNMP) Daemon..
Referencing comments 21 and 19: Out of curiosity I tried this out on Cauldron and saw exactly the same error as before: /dev/kmem/ no such file......
Comment here https://bugs.mageia.org/show_bug.cgi?id=25747#c21 suggest to add --without-kmem-usage to the configure line and rebuilt the SRPM for snmpd to work without /dev/kmem. I am not a packager. This should be done ASAP to fix security vulnerability. Really don't know why this works on bug 25747 and not here.
CC: (none) => ouaurelien
I don't know why it worked for Simon. Guillaume already rebuilt it with that configure option.
(In reply to David Walser from comment #24) > I don't know why it worked for Simon. Guillaume already rebuilt it with > that configure option. This is really strange.
Moreover that build option was already present. Now it is writen twice in the SPEC file.
Testing this. M7 Gnome and Mate. # urpmi net-snmp Pour satisfaire les dépendances, les paquetages suivants vont être installés : Paquetage Version Révision Arch (média « Core Release (distrib1) ») multiarch-utils 1.0.14 2.mga7 noarch perl-JSON 4.20.0 1.mga7 noarch perl-Mail-Sender 0.903.0 2.mga7 noarch (média « Core Updates Testing (distrib5) ») net-snmp 5.8 2.6.mga7 x86_64 net-snmp-mibs 5.8 2.6.mga7 x86_64 net-snmp-utils 5.8 2.6.mga7 x86_64 perl-NetSNMP 5.8 2.6.mga7 x86_64 un espace additionnel de 4.5Mo sera utilisé. 1Mo de paquets seront récupérés. Procéder à l'installation des 7 paquetages ? (O/n) # systemctl start snmpd Job for snmpd.service failed because the control process exited with error code. See "systemctl status snmpd.service" and "journalctl -xe" for details. # systemctl status snmpd ● snmpd.service - Simple Network Management Protocol (SNMP) Daemon. Loaded: loaded (/usr/lib/systemd/system/snmpd.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Tue 2020-11-03 17:45:46 CET; 10s ago Process: 2058 ExecStart=/usr/sbin/snmpd $OPTIONS -f (code=exited, status=1/FAILURE) Main PID: 2058 (code=exited, status=1/FAILURE) nov. 03 17:45:46 localhost systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon.... nov. 03 17:45:46 localhost snmpd[2058]: /dev/kmem: No such file or directory nov. 03 17:45:46 localhost snmpd[2058]: Agent initialization failed nov. 03 17:45:46 localhost systemd[1]: snmpd.service: Main process exited, code=exited, status=1/FAILURE nov. 03 17:45:46 localhost systemd[1]: snmpd.service: Failed with result 'exit-code'. nov. 03 17:45:46 localhost systemd[1]: Failed to start Simple Network Management Protocol (SNMP) Daemon..
Assignee: qa-bugs => nicolas.salguero
Status comment: (none) => snmpd fails looking for /dev/kmem
Assignee: nicolas.salguero => pkg-bugs
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Resolution: (none) => OLDStatus: ASSIGNED => RESOLVED