CLD-318 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-1000116 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) net-snmp
Deficiency Type SECURITY
Date Created 2018-03-07 13:32:41
Date Last Modified 2018-03-07 15:13:54

Version Specific Information:

Cucumber 1.0 i686 fixed in net-snmp-5.7.3-i686-2
Cucumber 1.0 x86_64 fixed in net-snmp-5.7.3-x86_64-2 and net-snmp-lib_i686-5.7.3-lib_i686-2

Cucumber 1.1 i686 fixed in net-snmp-5.7.3-i686-3
Cucumber 1.1 x86_64 fixed in net-snmp-5.7.3-x86_64-3 and net-snmp-lib_i686-5.7.3-lib_i686-3


=================================== Overview ===================================

NET-SNMP version 5.7.2 contains a heap corruption vulnerability in the UDP
protocol handler that can result in command execution. 

================================ Initial Report ================================


NET-SNMP is a service listening on a UDP port which provides useful information
to administrators related to the network, the CPU activity or the memory
currently used. It is usually polled in order to perform various sanity checks
using home made scripts. Access to this service is restricted using a community
secret (v1 and v2c of the protocol) or a more complex authentication process

The version 5.7.2 was vulnerable to a heap corruption within the parsing of the
PDU prior to the authentication process.

Details given in the attached document

================================= Our Analysis =================================

----- Affected Products -----
Net-snmp version 5.7.3 (as originally packaged in Cucumber Linux) is vulnerable
to this. This includes the origianl version of net-snmp in Cucumber Linux 1.0
and 1.1.

----- Scope and Impact of this Vulnerability -----
Allows for remote code execution.

----- Fix for this Vulnerability -----
Fixed in

================================= Our Solution =================================

We have applied a modified version of the aforementioned patch and rebuilt. The
modified patch can be found at: