| From de36cf1ecbb13a9541ec5d43ce20ab5030861837 Mon Sep 17 00:00:00 2001 |
| From: Wes Hardaker <opensource@hardakers.net> |
| Date: Thu, 23 Jul 2020 16:17:27 -0700 |
| Subject: [PATCH 1/1] make the extend mib read-only by default |
| |
| CVE: CVE-2020-15862 |
| Upstream-Status: Backport [https://github.com/net-snmp/net-snmp/commit/77f6c60f57dba0aaea5d8ef1dd94bcd0c8e6d205] |
| |
| Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> |
| --- |
| agent/mibgroup/agent/extend.c | 18 ++++++++++++------ |
| 1 file changed, 12 insertions(+), 6 deletions(-) |
| |
| diff --git a/agent/mibgroup/agent/extend.c b/agent/mibgroup/agent/extend.c |
| index 5f8cedc..38a6c50 100644 |
| --- a/agent/mibgroup/agent/extend.c |
| +++ b/agent/mibgroup/agent/extend.c |
| @@ -16,6 +16,12 @@ |
| #define SHELLCOMMAND 3 |
| #endif |
| |
| +/* This mib is potentially dangerous to turn on by default, since it |
| + * allows arbitrary commands to be set by anyone with SNMP WRITE |
| + * access to the MIB table. If all of your users are "root" level |
| + * users, then it may be safe to turn on. */ |
| +#define ENABLE_EXTEND_WRITE_ACCESS 0 |
| + |
| netsnmp_feature_require(extract_table_row_data) |
| netsnmp_feature_require(table_data_delete_table) |
| #ifndef NETSNMP_NO_WRITE_SUPPORT |
| @@ -742,7 +748,7 @@ handle_nsExtendConfigTable(netsnmp_mib_handler *handler, |
| * |
| **********/ |
| |
| -#ifndef NETSNMP_NO_WRITE_SUPPORT |
| +#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS |
| case MODE_SET_RESERVE1: |
| /* |
| * Validate the new assignments |
| @@ -1068,7 +1074,7 @@ handle_nsExtendConfigTable(netsnmp_mib_handler *handler, |
| } |
| } |
| break; |
| -#endif /* !NETSNMP_NO_WRITE_SUPPORT */ |
| +#endif /* !NETSNMP_NO_WRITE_SUPPORT and ENABLE_EXTEND_WRITE_ACCESS */ |
| |
| default: |
| netsnmp_set_request_error(reqinfo, request, SNMP_ERR_GENERR); |
| @@ -1076,7 +1082,7 @@ handle_nsExtendConfigTable(netsnmp_mib_handler *handler, |
| } |
| } |
| |
| -#ifndef NETSNMP_NO_WRITE_SUPPORT |
| +#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS |
| /* |
| * If we're marking a given row as active, |
| * then we need to check that it's ready. |
| @@ -1101,7 +1107,7 @@ handle_nsExtendConfigTable(netsnmp_mib_handler *handler, |
| } |
| } |
| } |
| -#endif /* !NETSNMP_NO_WRITE_SUPPORT */ |
| +#endif /* !NETSNMP_NO_WRITE_SUPPORT && ENABLE_EXTEND_WRITE_ACCESS */ |
| |
| return SNMP_ERR_NOERROR; |
| } |
| @@ -1590,7 +1596,7 @@ fixExec2Error(int action, |
| idx = name[name_len-1] -1; |
| exten = &compatability_entries[ idx ]; |
| |
| -#ifndef NETSNMP_NO_WRITE_SUPPORT |
| +#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS |
| switch (action) { |
| case MODE_SET_RESERVE1: |
| if (var_val_type != ASN_INTEGER) { |
| @@ -1611,7 +1617,7 @@ fixExec2Error(int action, |
| case MODE_SET_COMMIT: |
| netsnmp_cache_check_and_reload( exten->efix_entry->cache ); |
| } |
| -#endif /* !NETSNMP_NO_WRITE_SUPPORT */ |
| +#endif /* !NETSNMP_NO_WRITE_SUPPORT && ENABLE_EXTEND_WRITE_ACCESS */ |
| return SNMP_ERR_NOERROR; |
| } |
| #endif /* USING_UCD_SNMP_EXTENSIBLE_MODULE */ |
| -- |
| 2.17.1 |
| |