CVE-2020-15862 Overview
CVE-2020-15862 is a privilege escalation vulnerability affecting Net-SNMP through version 5.8. The vulnerability stems from improper privilege management in the SNMP EXTEND MIB implementation, which allows authenticated users with SNMP WRITE access to execute arbitrary commands with root privileges on affected systems.
The vulnerability exists because the EXTEND MIB was writable by default, enabling any user with SNMP write permissions to configure and execute arbitrary shell commands. Since the SNMP daemon typically runs with elevated privileges, these commands execute as root, providing complete system compromise.
Critical Impact
Authenticated attackers with SNMP WRITE access can achieve full root-level command execution on vulnerable systems, leading to complete system compromise.
Affected Products
- Net-SNMP through version 5.8
- Canonical Ubuntu Linux 12.04, 14.04 ESM, 16.04 ESM, 18.04 ESM, 20.04 LTS
- NetApp Cloud Backup, HCI Management Node, SMI-S Provider, and SolidFire
Discovery Timeline
- 2020-08-20 - CVE-2020-15862 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-15862
Vulnerability Analysis
This vulnerability is classified as CWE-269 (Improper Privilege Management). The root cause lies in the Net-SNMP daemon's handling of the EXTEND MIB, which provides a mechanism for administrators to define and execute external programs through SNMP operations.
The EXTEND MIB was designed to allow system administrators to extend SNMP functionality by running custom scripts or commands. However, the default configuration allowed SNMP WRITE operations to modify this MIB, meaning any authenticated user with write access could inject arbitrary commands. Since the snmpd daemon typically runs as root to access system information, any commands executed through the EXTEND MIB inherit these root privileges.
An attacker exploiting this vulnerability would need valid SNMP credentials with write access to the target system. Once authenticated, they can use standard SNMP SET operations to configure a new extension entry with malicious commands, then trigger execution through the MIB interface.
Root Cause
The vulnerability originates from a design decision to make the EXTEND MIB writable by default. The agent/mibgroup/agent/extend.c file did not enforce read-only access to the EXTEND MIB tables, allowing any authenticated user with SNMP WRITE permissions to configure arbitrary command execution entries. This represents a failure to apply the principle of least privilege, as most deployments do not require remote SNMP users to modify extension configurations.
Attack Vector
The attack requires local access to the system or network-level access to the SNMP service (typically UDP port 161). An attacker must possess valid SNMP credentials with write access. The exploitation flow involves:
- Authenticate to the SNMP daemon using valid credentials with write access
- Use SNMP SET operations to create or modify an EXTEND MIB entry
- Configure the entry to execute arbitrary shell commands
- Trigger execution of the configured command
- Commands execute with root privileges, achieving full system compromise
The following patch was applied to address this vulnerability by making the EXTEND MIB read-only by default:
#define SHELLCOMMAND 3
#endif
+/* This mib is potentially dangerous to turn on by default, since it
+ * allows arbitrary commands to be set by anyone with SNMP WRITE
+ * access to the MIB table. If all of your users are "root" level
+ * users, then it may be safe to turn on. */
+#define ENABLE_EXTEND_WRITE_ACCESS 0
+
netsnmp_feature_require(extract_table_row_data);
netsnmp_feature_require(table_data_delete_table);
#ifndef NETSNMP_NO_WRITE_SUPPORT
Source: GitHub Net-SNMP Commit
Detection Methods for CVE-2020-15862
Indicators of Compromise
- Unexpected modifications to EXTEND MIB entries in SNMP configurations
- Unusual process execution spawned by the snmpd daemon process
- SNMP SET operations targeting OIDs within the EXTEND MIB namespace (.1.3.6.1.4.1.8072.1.3.2)
- Unexpected commands or scripts configured in /etc/snmp/snmpd.conf extend directives
Detection Strategies
- Monitor SNMP traffic for SET operations targeting the EXTEND MIB OID tree
- Implement file integrity monitoring on SNMP configuration files and extension scripts
- Review snmpd process child spawning activity for unexpected command execution
- Audit SNMP user accounts and their assigned access levels, flagging unnecessary write permissions
Monitoring Recommendations
- Enable detailed SNMP daemon logging to capture all SET operations
- Deploy network monitoring to detect SNMP write operations from unexpected sources
- Implement process execution monitoring on systems running snmpd to detect suspicious child processes
- Configure alerts for modifications to Net-SNMP configuration files
How to Mitigate CVE-2020-15862
Immediate Actions Required
- Update Net-SNMP to the latest patched version immediately
- Review and restrict SNMP user accounts, removing unnecessary write permissions
- Audit existing EXTEND MIB configurations for any unauthorized or suspicious entries
- Implement network segmentation to limit SNMP access to authorized management systems only
Patch Information
The vulnerability has been addressed by Net-SNMP maintainers through a patch that disables write access to the EXTEND MIB by default. The fix introduces the ENABLE_EXTEND_WRITE_ACCESS compile-time flag set to 0, requiring explicit opt-in for write access functionality.
Security patches are available from multiple sources:
- GitHub Net-SNMP Commit
- Debian Net-SNMP Commit
- Ubuntu Security Notice USN-4471-1
- Gentoo GLSA 202008-12
- NetApp Security Advisory
Workarounds
- Disable SNMP write access entirely if not required for operations
- Configure SNMP ACLs to restrict write access to trusted management hosts only
- Remove or comment out any extend directives in snmpd.conf that are not essential
- Run snmpd with reduced privileges using the -u flag to specify a non-root user where possible
# Configuration example - Restrict SNMP write access in snmpd.conf
# Allow read-only access from management network
rocommunity public 10.0.0.0/24
# Disable write access entirely (remove or comment out rwcommunity lines)
# rwcommunity private
# If write access is required, restrict to specific trusted hosts
# rwcommunity private 10.0.0.5
# Review and remove unnecessary extend directives
# extend test /usr/bin/example_script
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
