Vulnerability Details : CVE-2015-5621
Potential exploit
The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and earlier does not remove the varBind variable in a netsnmp_variable_list item when parsing of the SNMP PDU fails, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet.
Vulnerability category: Execute codeDenial of service
Products affected by CVE-2015-5621
- cpe:2.3:a:net-snmp:net-snmp:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-5621
9.99%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 95 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-5621
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2015-5621
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-5621
-
http://www.openwall.com/lists/oss-security/2015/04/13/1
oss-security - net-snmp snmp_pdu_parse() function incompletely initializaition vulnerabilityExploit
-
http://www.securityfocus.com/bid/76380
Net-SNMP CVE-2015-5621 Remote Code Execution Vulnerability
-
http://www.securitytracker.com/id/1033304
Net-snmp Incomplete Parsing in snmp_pdu_parse() Lets Remote Users Crash snmpd or Execute Arbitrary Code - SecurityTracker
-
http://lists.opensuse.org/opensuse-updates/2015-09/msg00004.html
openSUSE-SU-2015:1502-1: moderate: Security update for net-snmp
-
http://www.openwall.com/lists/oss-security/2015/07/31/1
oss-security - Re: net-snmp snmp_pdu_parse() function incompletely initializaition vulnerability
-
https://bugzilla.redhat.com/show_bug.cgi?id=1212408
1212408 – (CVE-2015-5621) CVE-2015-5621 net-snmp: snmp_pdu_parse() incompletely parsed varBinds left in list of variables
-
http://support.citrix.com/article/CTX209443
Citrix XenServer Multiple Security Updates
-
http://sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791/
net-snmp / Code / Commit [f23bcd]
-
http://www.openwall.com/lists/oss-security/2015/04/16/15
oss-security - Re: net-snmp snmp_pdu_parse() function incompletely initializaition vulnerability
-
https://www.debian.org/security/2018/dsa-4154
Debian -- Security Information -- DSA-4154-1 net-snmp
-
https://www.exploit-db.com/exploits/45547/
net-snmp 5.7.3 - (Authenticated) Denial of Service (PoC)
-
http://rhn.redhat.com/errata/RHSA-2015-1636.html
RHSA-2015:1636 - Security Advisory - Red Hat Customer Portal
-
http://www.ubuntu.com/usn/USN-2711-1
USN-2711-1: Net-SNMP vulnerabilities | Ubuntu security notices
-
https://sourceforge.net/p/net-snmp/bugs/2615/
net-snmp / Bugs / #2615 net-snmp snmp_pdu_parse() function incompletely initialization vulnerability
-
https://cert-portal.siemens.com/productcert/pdf/ssa-978220.pdf
Jump to