Re: SNMP vulnerabilities

To get everyone on track on what code we are using here:

According to the sources, Squid has a heavily modified copy of a old
CMU-snmp library version 1.8, released Feb 3 1998.

From what it seems CMU cancelled their SNMP effort some time ago
(last release 1.14, Jan 1999, no longer online by CMU), but some time
before that the development spun off into UCD-snmp, which has now
disassociated from UCD and is simply called net-snmp.

A crash study in reported incidents related to SNMP show that this
family of SNMP libraries have been quite error prone for quite some
time, both overflows due to oversized elements and due to malformed
packets.

Luckily what we are using of SNMP is quite limited, and our library
is heavily stripped down of features. What at a minimum needs to be
audited is snmp_parse() and all threads down from there. This sums up
to a very limited amount of code. An initial analysis of the code
shows overall good health practice, at least in the request parsing
up to our access control. I do not have the time to look any further
than this in the processing chain at this time, and have not looked
into all details of the variable decoding yet..

However, even this minimal audit revealed a minor possible issue
related to community strings (off-by-one error in length). It is not
very likely to be exploitable, but maybe could trigger a crash in
some conditions. There is also plenty of memory leaks in the same
area, I can easily trigger a leak of 4096+129 bytes per SNMP query
(actually I almost cannot trigger not to leak this amount). Now fixed
in head. Will test if there is more leaks, then publish a 2.5 patch.

Regards
Henrik

On Tuesday 12 February 2002 22.45, Alex Rousskov wrote:
> FYI: http://www.cert.org/advisories/CA-2002-03.html
>
> I have not tested whether Squid implementation is vulnerable, but
> given an impressive list of vulnerable products, somebody may want
> to test Squid SNMP code as well.
>
>
> Alex.
Received on Tue Feb 12 2002 - 17:55:16 MST