-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ## Advisory Information Title: FreeBSD bsnmpd information disclosure Advisory URL: https://pierrekim.github.io/advisories/CVE-2015-5677-freebsd-bsnmpd.txt Blog URL: https://pierrekim.github.io/blog/2016-01-15-cve-2015-5677-freebsd-bsnmpd.html Date published: 2016-01-15 Vendors contacted: FreeBSD Release mode: Released CVE: CVE-2015-5677 ## Product Description The bsnmpd daemon serves the Internet SNMP (Simple Network Management Protocol). It is intended to serve only the absolute basic MIBs and implement all other MIBs through loadable modules. ## Vulnerabilities Summary By default, the bsnmpd configuration file in FreeBSD 9.3 and 10.x has weak permissions which allows a local user to retrieve sensitive information. ## Details By default the permissions of the bsnmpd configuration file are 0644 instead of 0600: root@freebsd-test-snmp:~ # ls -latr /etc/snmpd.config -rw-r--r-- 1 root wheel 8662 Aug 12 16:27 /etc/snmpd.config root@freebsd-test-snmp:~ # This file is readable by a local user and contains the credentials for read-only and read-write access (for SNMPv1, SNMPv2 and SNMPv3 protocols) and gives a local user unnecessary/dangerous access: root@freebsd-test-snmp:~ # cat /etc/snmpd.config [...] # Change this! read := "public" # Uncomment begemotSnmpdCommunityString.0.2 below that sets the community # string to enable write access. write := "geheim" trap := "mytrap" [...] # SNMPv3 USM User definition # # [...] # #user1 := "bsnmp" #user1passwd := 0x22:0x98:0x1a:0x6e:0x39:0x93:0x16:0x5e:0x6a:0x21:0x1b:0xd8:0xa9:0x81:0x31:0x05:0x16:0x33:0x38:0x60 [...] ## Vendor Response The official patch does not fix the permissions for existing installations. This vulnerability can be fixed by modifying the permission on /etc/bsnmpd.conf to owner root:wheel and permission 0600. ## Report Timeline * Nov 04, 2015: Vulnerability found by Pierre Kim. * Nov 05, 2015: security-officer@freebsd.org is notified of the vulnerability. * Nov 07, 2015: security-officer@freebsd.org confirms the vulnerability but the patch in existing installations does not seem to be feasible. * Nov 11, 2015: Pierre Kim asks security-officer@freebsd.org for a CVE number, using FreeBSD CVE pool for future FreeBSD vulnerabilities. * Nov 11, 2015: security-officer@freebsd.org assigns CVE-2015-5677. * Jan 05, 2016: Pierre Kim asks the status of the vulnerability. * Jan 13, 2016: Pierre Kim states he will release a security advisory the Feb 05, 2016 after a 3-month embargo. * Jan 13, 2016: security-officer@freebsd.org confirms a security advisory will be issued on Jan 19, 2016. * Jan 14, 2016: An official advisory is published by FreeBSD. * Jan 15, 2016: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Pierre Kim (@PierreKimSec). ## References https://pierrekim.github.io/advisories/CVE-2015-5677-freebsd-bsnmpd.txt https://pierrekim.github.io/blog/2016-01-15-cve-2015-5677-freebsd-bsnmpd.html https://www.freebsd.org/security/advisories/FreeBSD-SA-16:06.bsnmpd.asc ## Disclaimer This advisory is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWmEsUAAoJEMQ+Dtp9ky2863wQALI/6wFNF5MM3Xu0bOnvx9Pe EKt86fYM/hJb02H9ADlLtQwEM6IjOEoNHefVA7a2n1VWJEQream9vCfYOq2hBS3H edBN8ANMFePe5iPvwkxHrd7BE/xBlIqETQbEWJQsxL12GJIXN/xc9eFViVKUzxVO +Qqum+GXW+1+C6U5jJ/Uz9ve+BFlkOo89T2J4Xw9WgnjaVYZiMShMVVj5tBuapYK 3rodptkUkFXo8AnmNwjtp2sRXz697uvMQK3LMCQ/ORj6/NgcKjLYlQDWwKrfQ9sk LbscfRBv5ArhlLmF8e3HpzrRuRiP7ExIi97ns9CeCpAuRb4QjAfyBFcTlPRE9I2A QJZZg6fU1DPMPYlY/5SJZPKc5ZWLStKGrLD2hbgzWPot7msdd8kDfXOV/7NtI7ZA yZUQZ93DpI0JARBfwl16u7xoCgl0HPfpej0uAYAIJNbEUZ3txzLo8bBLkKDDhvtt s9r5qgUaNZWa+njK56d5aQrhdbhOKPIHmBqWHraAh2tjcBQyF+0Telygvb0zka52 /Z3oKfjxtr0Q3ZujTf2pWLfrzXttkWMWBNB6SxTa2zuxaN6ga+h+wj4yYSPQ3zx2 v3z8xR0ZDq+DgK5DMo4CbsuRTqSuW3JUQNOhtKARbmfKIcbNufkxnrAmlDB4Odss pl/Ye+rG7E2GKrKMRsBM =54tI -----END PGP SIGNATURE-----