cbcvebase.
CVE-2006-2444
published 2006-05-25

CVE-2006-2444: The snmp_trap_decode function in the SNMP NAT helper for Linux kernel before 2.6.16.18 allows remote attackers to cause a denial of service (crash) via…

PriorityP342high7.8CVSS 2.0
AVNACLAuNCNINAC
EXPLOIT
EPSS
20.56%
97.2th percentile
The snmp_trap_decode function in the SNMP NAT helper for Linux kernel before 2.6.16.18 allows remote attackers to cause a denial of service (crash) via unspecified remote attack vectors that cause failures in snmp_trap_decode that trigger (1) frees of random memory or (2) frees of previously-freed memory (double-free) by snmp_trap_decode as well as its calling function, as demonstrated via certain test cases of the PROTOS SNMP test suite.

Affected

74 ranges· showing 25
VendorProductVersion rangeFixed in
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel

Detection & IOCsextracted from sources · hover to see the quote

port161
port161
port162
bytes
\x30\x0a\x02\x01\x00\x04\x03\x45\x43\x4c\xa4\x00
  • The exploit sends a crafted UDP packet to port 161 (SNMP) containing a malformed SNMP trap payload. Monitor for short (~11-byte) UDP payloads to port 161/162 beginning with the byte sequence 30 0a 02 01 00 04 03 45 43 4c a4.
  • The vulnerability is only exploitable when the ip_nat_snmp_basic kernel module is loaded and SNMP traffic on port 161 or 162 is being NATed. Detection should focus on hosts acting as NAT gateways with this module active.
  • The vulnerability was demonstrated using test cases from the PROTOS SNMP test suite; anomalous SNMP traffic patterns consistent with PROTOS fuzzing (malformed community strings, trap PDUs) should be flagged.
  • The exploit uses raw IPv4 sockets (libnet_write_raw_ipv4) with a randomised source IP and source port, making source-based filtering ineffective; detection must be payload/destination-port based.
  • ·The vulnerability only affects Linux kernels before 2.6.16.18; systems running 2.6.16.18 or later are not vulnerable.
  • ·Exploitation requires the ip_nat_snmp_basic module to be loaded AND SNMP traffic to be actively NATed; systems not performing SNMP NAT are not at risk even on vulnerable kernel versions.

CVSS provenance

nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
vendor_redhat7.8HIGH
vendor_ubuntu6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.