CVE-2020-15862 : Net-SNMP through 5.8 has Improper Privilege Management because SNMP WRITE access

Net-SNMP through 5.8 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB provides the ability to run arbitrary commands as root.

Published 2020-08-20 01:17:14

Updated 2023-11-22 16:15:08

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2020-15862

Net-snmp » Net-snmp
Versions before (<) 5.8.1
cpe:2.3:a:net-snmp:net-snmp:*:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.04
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 20.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:esm:*:*:*
Matching versions
Netapp » Cloud Backup » Version: N/A
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
Matching versions
Netapp » Smi-s Provider » Version: N/A
cpe:2.3:a:netapp:smi-s_provider:-:*:*:*:*:*:*:*
Matching versions
Netapp » Hci Management Node » Version: N/A
cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
Matching versions
Netapp » Solidfire » Version: N/A
cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-15862

EPSS FAQ

0.11%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 26 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-15862

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-15862

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-15862

https://security.gentoo.org/glsa/202008-12

Net-SNMP: Multiple vulnerabilities (GLSA 202008-12) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://security-tracker.debian.org/tracker/CVE-2020-15862

CVE-2020-15862
Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965166

#965166 - snmpd privilege escalation - Debian Bug report logs
Issue Tracking;Third Party Advisory
https://salsa.debian.org/debian/net-snmp/-/commit/fad8725402752746daf0a751dcff19eb6aeab52e

snmpd: Disable extend mib Closes: #965166 (fad87254) · Commits · Debian / net-snmp · GitLab
Patch;Third Party Advisory
https://security.netapp.com/advisory/ntap-20200904-0001/

August 2020 Net-SNMP Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/4471-1/

USN-4471-1: Net-SNMP vulnerabilities | Ubuntu security notices | Ubuntu
Third Party Advisory

CVEs referencing this url
https://github.com/net-snmp/net-snmp/commit/77f6c60f57dba0aaea5d8ef1dd94bcd0c8e6d205

make the extend mib read-only by default · net-snmp/net-snmp@77f6c60 · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2020-15862

Products affected by CVE-2020-15862

Exploit prediction scoring system (EPSS) score for CVE-2020-15862

CVSS scores for CVE-2020-15862

CWE ids for CVE-2020-15862

References for CVE-2020-15862