| Name | CVE-2022-24809 |
| Description | net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-only credentials can use a malformed OID in a `GET-NEXT` to the `nsVacmAccessTable` to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3088-1, DSA-5209-1 |
| Debian Bugs | 1016139 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| net-snmp (PTS) | buster | 5.7.3+dfsg-5+deb10u2 | vulnerable |
| buster (security) | 5.7.3+dfsg-5+deb10u4 | fixed |
| bullseye, bullseye (security) | 5.9+dfsg-4+deb11u1 | fixed |
| bookworm | 5.9.3+dfsg-2 | fixed |
| trixie | 5.9.4+dfsg-1 | fixed |
| sid | 5.9.4+dfsg-1.1 | fixed |
The information below is based on the following data on fixed versions.
Notes
https://fossies.org/linux/net-snmp/CHANGES (fixed in 5.9.3)
https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937 (v5.9.2.pre1)
https://github.com/net-snmp/net-snmp/commit/9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 (v5.9.2.pre1)