CVE-2022-24809: Net-SNMP NULL Pointer Dereference DOS

CVE-2022-24809 Overview

CVE-2022-24809 is a NULL pointer dereference vulnerability in net-snmp, a widely-used suite of applications that provide tools for the Simple Network Management Protocol (SNMP). Prior to version 5.9.2, a user with read-only credentials can use a malformed OID in a GET-NEXT request to the nsVacmAccessTable to cause a NULL pointer dereference, leading to a denial of service condition.

This vulnerability is particularly concerning because it can be exploited by users with only read-only credentials, which represents the lowest level of SNMP access permissions. The vulnerability affects the View-based Access Control Model (VACM) implementation, which is a core security component of SNMPv3.

Critical Impact

Authenticated attackers with read-only SNMP credentials can crash the SNMP daemon by sending specially crafted GET-NEXT requests with malformed OIDs to the nsVacmAccessTable, causing denial of service on network management infrastructure.

Affected Products

• net-snmp versions prior to 5.9.2
• Fedora 36
• Debian Linux 10.0 and 11.0
• Red Hat Enterprise Linux 9.0 and various EUS, AUS, and SAP Solutions versions
• Red Hat Enterprise Linux for ARM64, IBM Z Systems, and POWER architectures

Discovery Timeline

• 2024-04-16 - CVE CVE-2022-24809 published to NVD
• 2025-01-17 - Last updated in NVD database

Technical Details for CVE-2022-24809

Vulnerability Analysis

This vulnerability exists in the net-snmp agent's handling of SNMP GET-NEXT operations against the nsVacmAccessTable. The VACM (View-based Access Control Model) is the standard access control mechanism for SNMPv3, and the nsVacmAccessTable is a net-snmp extension that provides additional access control functionality.

When a GET-NEXT request containing a malformed OID is sent to the nsVacmAccessTable, the SNMP agent fails to properly validate the OID structure before attempting to dereference it. This results in a NULL pointer dereference, which causes the SNMP daemon (snmpd) to crash. The vulnerability is particularly dangerous because it only requires read-only credentials to exploit, meaning even users with minimal access can trigger the denial of service.

The vulnerability was discovered by Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE, with fixes provided by Arista Networks.

Root Cause

The root cause is improper input validation in the OID parsing logic for the nsVacmAccessTable. When processing GET-NEXT requests, the code does not adequately verify that the OID structure is well-formed before attempting to use it. Specifically, the code fails to check for NULL values that may result from parsing malformed OID components, leading to a NULL pointer dereference (CWE-476) when the code attempts to access memory through the invalid pointer.

Attack Vector

The attack can be carried out remotely over the network by any user with valid SNMP read-only credentials. The attacker sends a specially crafted SNMP GET-NEXT request targeting the nsVacmAccessTable with a malformed OID. The SNMP daemon processes the request, encounters the malformed OID, and crashes due to the NULL pointer dereference.

For SNMPv1 or SNMPv2c, an attacker only needs to know the community string. For SNMPv3, valid authentication credentials (even with read-only permissions) are sufficient to exploit this vulnerability.

# Security patch from net-snmp 5.9.2 release notes:
*5.9.2*:
    security:
      - These two CVEs can be exploited by a user with read-only credentials:
          - CVE-2022-24805 A buffer overflow in the handling of the INDEX of
            NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
          - CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable
            can cause a NULL pointer dereference.
      - These CVEs can be exploited by a user with read-write credentials:
          - CVE-2022-24806 Improper Input Validation when SETing malformed
            OIDs in master agent and subagent simultaneously
          - CVE-2022-24807 A malformed OID in a SET request to
            SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an
            out-of-bounds memory access.
          - CVE-2022-24808 A malformed OID in a SET request to
            NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
          - CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable
            can cause a NULL pointer dereference.
      - To avoid these flaws, use strong SNMPv3 credentials and do not share them.
        If you must use SNMPv1 or SNMPv2c, use a complex community string
        and enhance the protection by restricting access to a given IP address range.

Source: GitHub Net-SNMP Commit

Detection Methods for CVE-2022-24809

Indicators of Compromise

• Unexpected SNMP daemon (snmpd) crashes or restarts
• System logs showing segmentation faults or NULL pointer dereference errors in the SNMP daemon
• Unusual GET-NEXT requests targeting nsVacmAccessTable or VACM-related OIDs
• SNMP service availability interruptions without apparent cause

Detection Strategies

• Monitor SNMP daemon process stability and configure alerts for unexpected terminations
• Analyze SNMP traffic for malformed OID patterns in GET-NEXT requests, particularly those targeting VACM tables
• Implement network-based intrusion detection rules to identify anomalous SNMP request patterns
• Review system logs for snmpd crash events correlating with SNMP request activity

Monitoring Recommendations

• Enable verbose logging on SNMP daemons to capture request details before crashes occur
• Deploy network monitoring to track SNMP traffic volume and patterns for anomaly detection
• Configure process monitoring to automatically restart snmpd and alert administrators on crashes
• Implement centralized log collection to correlate SNMP-related events across infrastructure

How to Mitigate CVE-2022-24809

Immediate Actions Required

• Upgrade net-snmp to version 5.9.2 or later which contains the security patch
• Restrict SNMP access to trusted IP address ranges using firewall rules or SNMP agent configuration
• Rotate all SNMP credentials, especially if using SNMPv1 or SNMPv2c community strings
• Audit and minimize the number of accounts with SNMP access credentials

Patch Information

The vulnerability is patched in net-snmp version 5.9.2. The fix is available in commit ce66eb97c17aa9a48bc079be7b65895266fa6775 on the net-snmp GitHub repository.

Multiple Linux distributions have released security updates:

• Debian: DSA-5209 and LTS announcement
• Fedora: Package update announcement
• Gentoo: GLSA 202210-29
• Red Hat: Track updates via Bug #2103225 and Bug #2105242

Workarounds

• Migrate from SNMPv1/SNMPv2c to SNMPv3 with strong authentication credentials
• Use complex, unique community strings if SNMPv1/SNMPv2c must be used
• Restrict SNMP access to specific trusted IP address ranges using ACLs or firewall rules
• Disable access to the nsVacmAccessTable if not required for operations
• Implement network segmentation to limit SNMP exposure to management networks only

# Restrict SNMP access to specific IP ranges in snmpd.conf
# Example configuration to limit access:

# For SNMPv3 (recommended): Configure strong authentication
createUser myUser SHA "authPassword123" AES "privPassword456"
rouser myUser priv

# For SNMPv1/v2c (if required): Restrict by IP
rocommunity complexCommunityString 192.168.1.0/24
rocommunity complexCommunityString 10.0.0.0/8

# Restrict source addresses at firewall level
# iptables example:
# iptables -A INPUT -p udp --dport 161 -s 192.168.1.0/24 -j ACCEPT
# iptables -A INPUT -p udp --dport 161 -j DROP