Gentoo update for Net-SNMP
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2019-20892 CVE-2020-15861 CVE-2020-15862 |
| CWE-ID | CWE-415 CWE-61 CWE-732 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Gentoo Linux Operating systems & Components / Operating system |
| Vendor | Gentoo |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Double Free
EUVDB-ID: #VU29535
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-20892
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing an SNMPv3 GetBulk request in usm_free_usmStateReference in snmplib/snmpusm.c in net-snmp. A remote attacker can pass specially crafted data to the application, trigger double free error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages.
net-analyzer/net-snmp to version:
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/
http://security.gentoo.org/glsa/202008-12
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) UNIX symbolic link following
EUVDB-ID: #VU45744
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15861
CWE-ID:
CWE-61 - UNIX Symbolic Link (Symlink) Following
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a symlink following issue in snmpd. A local user can bypass implemented security mechanism via *snmp-mibs-downloader package* and execute arbitrary commands on the system as root.
Update the affected packages.
net-analyzer/net-snmp to version:
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/
http://security.gentoo.org/glsa/202008-12
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Incorrect permission assignment for critical resource
EUVDB-ID: #VU45745
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15862
CWE-ID:
CWE-732 - Incorrect Permission Assignment for Critical Resource
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to insecure permissions set by the Net-snmp installed on Debian-based systems. A remote user can overwrite files in net-snmp directory via EXTEND MIB and execute arbitrary code on the system with root privileges.
Update the affected packages.
net-analyzer/net-snmp to version:
Gentoo Linux: All versions
External linkshttp://security.gentoo.org/
http://security.gentoo.org/glsa/202008-12
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
