CVE-2022-24806 Overview
CVE-2022-24806 is an Improper Input Validation vulnerability affecting net-snmp, a widely used suite of tools for the Simple Network Management Protocol (SNMP). Prior to version 5.9.2, authenticated users with read-write credentials can exploit this flaw by sending malformed OIDs in SET requests to the master agent and subagent simultaneously. This vulnerability can lead to denial of service conditions on affected systems running vulnerable net-snmp versions.
SNMP is a critical protocol used extensively in enterprise network management, making vulnerabilities in net-snmp particularly concerning for organizations managing large-scale infrastructure. The vulnerability requires authentication but can be exploited remotely over the network.
Critical Impact
Authenticated attackers with read-write SNMP credentials can cause denial of service conditions by exploiting improper input validation when processing malformed OIDs in concurrent master agent and subagent operations.
Affected Products
- net-snmp versions prior to 5.9.2
- Fedora 35 and 36
- Debian Linux 10.0 and 11.0
- Red Hat Enterprise Linux 9.0 and various EUS releases
- Red Hat Enterprise Linux for ARM64, IBM z Systems, and Power architectures
Discovery Timeline
- 2022 - Vulnerability discovered by Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE
- 2022 - Security patch developed with assistance from Arista Networks
- 2024-04-16 - CVE-2022-24806 published to NVD
- 2025-01-17 - Last updated in NVD database
Technical Details for CVE-2022-24806
Vulnerability Analysis
The vulnerability exists in net-snmp's handling of SET operations when malformed Object Identifiers (OIDs) are processed simultaneously by both the master agent and subagent components. The improper input validation allows specially crafted OIDs to bypass normal validation checks when these components interact concurrently, leading to unexpected behavior and potential service disruption.
This vulnerability is part of a family of related security issues (CVE-2022-24805 through CVE-2022-24810) discovered in net-snmp that affect various aspects of OID handling and VACM (View-based Access Control Model) table operations. While some of the related vulnerabilities only require read-only credentials, CVE-2022-24806 specifically requires read-write access to exploit.
Root Cause
The root cause is inadequate input validation in the code paths handling SET requests when malformed OIDs are processed by both the master agent and subagent simultaneously. The concurrent processing of these malformed inputs exposes a validation gap that allows the malformed data to cause improper system behavior. The fix implemented in version 5.9.2 adds proper validation checks to reject malformed OIDs before they can be processed in these concurrent scenarios.
Attack Vector
The attack requires network access to the SNMP service (typically UDP port 161) and valid read-write credentials. An attacker must:
- Obtain valid SNMPv1/v2c community strings with read-write access, or SNMPv3 credentials with appropriate privileges
- Craft malformed OID values designed to bypass input validation
- Send SET requests targeting operations that involve both master agent and subagent processing simultaneously
- The improper handling of these concurrent operations with malformed OIDs leads to denial of service
# From net-snmp version 5.9.2 CHANGES file - Security fixes documentation
# Source: https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775
*5.9.2*:
security:
- These two CVEs can be exploited by a user with read-only credentials:
- CVE-2022-24805 A buffer overflow in the handling of the INDEX of
NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
- CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable
can cause a NULL pointer dereference.
- These CVEs can be exploited by a user with read-write credentials:
- CVE-2022-24806 Improper Input Validation when SETing malformed
OIDs in master agent and subagent simultaneously
- CVE-2022-24807 A malformed OID in a SET request to
SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an
out-of-bounds memory access.
- CVE-2022-24808 A malformed OID in a SET request to
NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
- CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable
can cause a NULL pointer dereference.
- To avoid these flaws, use strong SNMPv3 credentials and do not share them.
If you must use SNMPv1 or SNMPv2c, use a complex community string
and enhance the protection by restricting access to a given IP address range.
- Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for
reporting the following CVEs that have been fixed in this release, and
to Arista Networks for providing fixes.
Source: GitHub Net-SNMP Commit
Detection Methods for CVE-2022-24806
Indicators of Compromise
- Unusual SNMP SET requests containing malformed or abnormally structured OIDs
- SNMP daemon crashes or unexpected service restarts on monitored systems
- Log entries indicating OID parsing errors or validation failures in snmpd logs
- Increased SNMP traffic from unauthorized or unexpected source IP addresses
Detection Strategies
- Monitor SNMP service logs for repeated parsing errors, validation failures, or crash events
- Implement network-based intrusion detection rules to flag SNMP SET requests with malformed OID structures
- Deploy endpoint detection to monitor for snmpd process crashes or abnormal terminations
- Audit SNMP authentication attempts and flag any unusual access patterns with read-write credentials
Monitoring Recommendations
- Enable detailed logging for snmpd to capture OID processing errors and authentication events
- Configure alerts for SNMP service availability to detect denial of service conditions
- Review SNMP community strings and SNMPv3 user accounts for unauthorized changes
- Monitor network traffic for SNMP requests originating from unexpected IP addresses or geographic locations
How to Mitigate CVE-2022-24806
Immediate Actions Required
- Upgrade net-snmp to version 5.9.2 or later to obtain the security patch
- Migrate from SNMPv1/v2c to SNMPv3 with strong authentication and encryption
- Restrict SNMP access to trusted IP address ranges using firewall rules or SNMP access control lists
- Review and strengthen SNMP credentials, avoiding shared or default community strings
Patch Information
The vulnerability is fixed in net-snmp version 5.9.2. The security patch is available via the GitHub Net-SNMP Commit. Distribution-specific patches are available through:
- Debian Security Advisory DSA-5209
- Debian LTS Announcement
- Fedora Package Announcement
- Gentoo GLSA Advisory
- Red Hat Bug Report
Workarounds
- Use strong SNMPv3 credentials with authentication and privacy protocols enabled, and do not share credentials across systems
- If SNMPv1 or SNMPv2c must be used, implement complex community strings that are difficult to guess
- Restrict SNMP access to specific trusted IP addresses or network ranges using host-based or network firewalls
- Disable read-write SNMP access where not strictly required, limiting exposure to read-only operations
# Example snmpd.conf configuration to restrict access
# Restrict SNMP access to trusted management network only
rocommunity public 10.0.0.0/24
rwcommunity private 10.0.0.5/32
# For SNMPv3 (recommended), configure strong auth and privacy
# createUser myuser SHA "authpassword123" AES "privpassword456"
# rouser myuser priv
# rwuser myadmin priv
# Firewall rule to restrict SNMP access (iptables example)
# iptables -A INPUT -p udp --dport 161 -s 10.0.0.0/24 -j ACCEPT
# iptables -A INPUT -p udp --dport 161 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
