Debian DLA-2299-1 : net-snmp security update

high Nessus Plugin ID 139207

Synopsis

The remote Debian host is missing a security update.

Description

A privilege escalation vulnerability vulnerability was discovered in Net-SNMP, a set of tools for collecting and organising information about devices on computer networks.

Upstream notes that :

- It is still possible to enable this MIB via the

--with-mib-modules configure option.

- Another MIB that provides similar functionality, namely ucd-snmp/extensible, is disabled by default.

- The security risk of ucd-snmp/pass and ucd-snmp/pass_persist is lower since these modules only introduce a security risk if the invoked scripts are exploitable.

For Debian 9 'Stretch', this issue has been fixed in net-snmp version 5.7.3+dfsg-1.7+deb9u2.

We recommend that you upgrade your net-snmp packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected packages.

See Also

https://lists.debian.org/debian-lts-announce/2020/07/msg00029.html

https://packages.debian.org/source/stretch/net-snmp

Plugin Details

Severity: High

ID: 139207

File Name: debian_DLA-2299.nasl

Version: 1.1

Type: local

Agent: unix

Published: 7/31/2020

Updated: 7/31/2020

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libsnmp-base, p-cpe:/a:debian:debian_linux:libsnmp-dev, p-cpe:/a:debian:debian_linux:libsnmp-perl, p-cpe:/a:debian:debian_linux:libsnmp30, p-cpe:/a:debian:debian_linux:libsnmp30-dbg, p-cpe:/a:debian:debian_linux:python-netsnmp, p-cpe:/a:debian:debian_linux:snmp, p-cpe:/a:debian:debian_linux:snmpd, p-cpe:/a:debian:debian_linux:snmptrapd, p-cpe:/a:debian:debian_linux:tkmib, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 7/30/2020

Vulnerability Publication Date: 7/30/2020