The bsnmpd daemon serves the Internet SNMP (Simple Network Management Protocol). It is intended to serve only the absolute basic MIBs and implement all other MIBs through loadable modules.
By default, the bsnmpd configuration file in FreeBSD 9.3 and 10.x has weak permissions which allows a local user to retrieve sensitive information.
By default the permissions of the bsnmpd configuration file are 0644 instead of 0600:
root@freebsd-test-snmp:~ # ls -latr /etc/snmpd.config
-rw-r--r-- 1 root wheel 8662 Aug 12 16:27 /etc/snmpd.config
root@freebsd-test-snmp:~ #
This file is readable by a local user and contains the credentials for read-only and read-write access (for SNMPv1, SNMPv2 and SNMPv3 protocols) and gives a local user unnecessary/dangerous access:
root@freebsd-test-snmp:~ # cat /etc/snmpd.config
[...]
# Change this!
read := "public"
# Uncomment begemotSnmpdCommunityString.0.2 below that sets the community
# string to enable write access.
write := "geheim"
trap := "mytrap"
[...]
# SNMPv3 USM User definition
#
# [...]
#
#user1 := "bsnmp"
#user1passwd := 0x22:0x98:0x1a:0x6e:0x39:0x93:0x16:0x5e:0x6a:0x21:0x1b:0xd8:0xa9:0x81:0x31:0x05:0x16:0x33:0x38:0x60
[...]
The official patch does not fix the permissions for existing installations.
This vulnerability can be fixed by modifying the permission on /etc/bsnmpd.conf to owner root:wheel and permission 0600.
This vulnerability was found by Pierre Kim (@PierreKimSec).
https://pierrekim.github.io/advisories/CVE-2015-5677-freebsd-bsnmpd.txt
https://pierrekim.github.io/blog/2016-01-15-cve-2015-5677-freebsd-bsnmpd.html
https://www.freebsd.org/security/advisories/FreeBSD-SA-16:06.bsnmpd.asc
This advisory is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
published on 2016-01-15 00:00:00 by Pierre Kim <pierre.kim.sec@gmail.com>