CVE Vulnerabilities

CVE-2020-15862

Improper Privilege Management

Published: Aug 20, 2020 | Modified: Sep 04, 2020
CVSS 3.x
7.8
HIGH
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.2 HIGH
AV:L/AC:L/Au:N/C:C/I:C/A:C
RedHat/V2
RedHat/V3
8.8 IMPORTANT
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Ubuntu

Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB provides the ability to run arbitrary commands as root.

Weakness

The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Name Vendor Start Version End Version
Net-snmp Net-snmp * 5.7.3
Red Hat Enterprise Linux 6 RedHat net-snmp-1:5.5-60.el6_10.2 *
Red Hat Enterprise Linux 7 RedHat net-snmp-1:5.7.2-49.el7_9.1 *
Red Hat Enterprise Linux 7.4 Advanced Update Support RedHat net-snmp-1:5.7.2-28.el7_4.4 *
Red Hat Enterprise Linux 7.4 Telco Extended Update Support RedHat net-snmp-1:5.7.2-28.el7_4.4 *
Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions RedHat net-snmp-1:5.7.2-28.el7_4.4 *
Red Hat Enterprise Linux 7.6 Extended Update Support RedHat net-snmp-1:5.7.2-38.el7_6.3 *
Red Hat Enterprise Linux 7.7 Extended Update Support RedHat net-snmp-1:5.7.2-43.el7_7.7 *
Red Hat Enterprise Linux 8 RedHat net-snmp-1:5.8-18.el8_3.1 *
Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions RedHat net-snmp-1:5.8-7.el8_0.4 *
Red Hat Enterprise Linux 8.1 Extended Update Support RedHat net-snmp-1:5.8-12.el8_1.3 *
Red Hat Enterprise Linux 8.2 Extended Update Support RedHat net-snmp-1:5.8-14.el8_2.3 *
Net-snmp Ubuntu bionic *
Net-snmp Ubuntu devel *
Net-snmp Ubuntu esm-infra/xenial *
Net-snmp Ubuntu focal *
Net-snmp Ubuntu trusty *
Net-snmp Ubuntu trusty/esm *
Net-snmp Ubuntu upstream *
Net-snmp Ubuntu xenial *

Potential Mitigations

References