SNMPD hangs when a client browses a restricted OID
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
net-snmp (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Overview:
When snmpd is configured to show a limited view of oids using VACM, it is possible to cause snmpd to hang by performing an snmpwalk.
Tested on 5.7.2~dfsg-
Steps to reproduce:
Use VACM to restrict the OIDs that a user has access to as follows: (I'll attach a full snmpd.conf below)
view limited_vw included .1.3.6.1.2.1.1
view limited_vw included .1.3.6.1.2.1.2
view limited_vw included .1.3.6.1.2.1.4.31
Perform an snmpwalk NOT using bulk walk
Expected result; A listing of the contents of those three OID trees
Actual result; snmpwalk will list all the OIDs up to iso.3.6.
All subsequent attempts to query any SNMP will time out. SNMPD has to be restarted before it will respond again. There doesn't seem to be anything useful in the logs.
Mitigation:
If the user is also allowed to browse two more OIDs the problem goes away:
view limited_vw included .1.3.6.1.2.1.1
view limited_vw included .1.3.6.1.2.1.2
# Necessary OIDs
view limited_vw included .1.3.6.1.2.1.4.1
view limited_vw included .1.3.6.1.2.1.4.25
#
view limited_vw included .1.3.6.1.2.1.4.31
Or, only query the host using snmpbulkwalk.
Hi Tom,
thank you for your report.
First of all I can confirm your issue.
In a fresh container triggerable with: snmpd.conf << EOF udp6:[: :1]:161
$ apt install snmp snmpd
$ echo > /etc/snmp/
agentAddress udp:161,
view limited_vw included .1.3.6.1.2.1.1
view limited_vw included .1.3.6.1.2.1.2
view limited_vw included .1.3.6.1.2.1.4.31
access limited_grp "" usm priv exact limited_vw none none
sysLocation dummylocation
sysContact dummycontact
createUser limited SHA "password" AES "password"
I tested 16.04 but also the most recent 18.04 - it triggers the issue everywhere.
rouser limited priv -V limited_vw
createUser unlimited SHA "password" AES "password"
rouser unlimited priv
EOF
$ systemctl restart snmpd
# Now the unlimited case is fine:
$ snmpwalk -v3 -u unlimited -l authPriv -a SHA -x AES -A password -X password localhost
# Also the bulkwalk with the limited user is good
$ snmpbulkwalk -v3 -u limited -l authPriv -a SHA -x AES -A password -X password localhost
# But as reported the following seems to hang the server (command hangs, further commands hang immediately)
$ snmpwalk -v3 -u limited -l authPriv -a SHA -x AES -A password -X password localhost