Page MenuHomeVyOS Platform

vyos router 1.2.7 snmp Dos bug
Closed, ResolvedPublicBUG

Description

We have replayed the vulnerability in the vyos 1.2.7 device versions. And We perform debugging analysis on this vulnerability version. Please check.

There are three vulnerability, and it is caused by a Use-After-Free and an insufficient check of null pointer.

And then I may need you to provide an email and I will provide POC and a detailed vulnerability report. Here is my email: [email protected]

image.png (1×2 px, 475 KB)

Details

Difficulty level
Easy (less than an hour)
Version
version 1.2.7
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Security vulnerability

Event Timeline

May I ask where I can submit poC? Do you provide an email address or upload files here?

@zoenan7 Thanks for your research! You can send the PoC to [email protected]

Also, we use stock, unmodified SNMPd, so the same problem likely exists (or had existed) in the upstream code and we may need to report it to the net-snmp maintainers. Could you check if later versions, e.g. the one used in VyOS 1.3 release candidates or 1.4 rolling release is also vulnerable?

Hello, I have found three vulnerabilities in V1.2.7, one of which can also be reproduced in V1.3, please continue to check the other versions, I will send all three POCs to your email, thank you for your work.

By the way, The password of the compressed package is HGkasjgJFYL261.

I have sent the POC of the vulnerability to [email protected].

I have a question. If you confirm the existence of the vulnerability, can you report to the NET-SNMP vendor and apply for a CVE number?

By the way, the SNMPD service of the router will not restart automatically. After the SNMP service is attacked, the SNMP service cannot be restored even if the device is restarted, which may be an inappropriate implementation.

@dmbaturin Did you get my email? If not, please let me know and I will send it again

@zoenan7 Sorry for the late reply! Yes, I got your email and could reproduce the crash using your PoC.

Have you also reported the issue to the maintainers of net-snmp? We take net-snmp unmodified from Debian, so I assume the issue exists in all versions of it, even the latest ones. We need to coordinate the disclosure with them.

Yes, I also believe that this crash exists in all current versions of NET-SNMP. And I also found this vulnerability in the source code of the latest version of Net-SNMP( version 5.9.1), and I compiled and installed net-SNMP on Ubuntu to duplicate this vulnerability. But I can't find the contact information of NET-SNMP. It seems that only the cooperative manufacturer can contact him. Can you negotiate with them to disclose this vulnerability?

Alternatively, can you provide the contact information of NET-SNMP's PRIST? I can also contact him for vulnerability disclosure.

@zoenan7 have you managed to report to upstream?

I did not report it to the upstream, but another vendor helped me to report it to the upstream and gave me the relevant CVE number. You can check the following link about netsnmp: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016139

syncer moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.

@zoenan7 thanks for getting back to me
it looks like it is now fixed in upstream so I will close this ticket

@zoenan7 thanks a lot for finding and reporting this!