CVE-2006-2444
published 2006-05-25CVE-2006-2444: The snmp_trap_decode function in the SNMP NAT helper for Linux kernel before 2.6.16.18 allows remote attackers to cause a denial of service (crash) via…
PriorityP342high7.8CVSS 2.0
AVNACLAuNCNINAC
EXPLOIT
EPSS
20.56%
97.2th percentile
The snmp_trap_decode function in the SNMP NAT helper for Linux kernel before 2.6.16.18 allows remote attackers to cause a denial of service (crash) via unspecified remote attack vectors that cause failures in snmp_trap_decode that trigger (1) frees of random memory or (2) frees of previously-freed memory (double-free) by snmp_trap_decode as well as its calling function, as demonstrated via certain test cases of the PROTOS SNMP test suite.
Affected
74 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x30\x0a\x02\x01\x00\x04\x03\x45\x43\x4c\xa4\x00
- →The exploit sends a crafted UDP packet to port 161 (SNMP) containing a malformed SNMP trap payload. Monitor for short (~11-byte) UDP payloads to port 161/162 beginning with the byte sequence 30 0a 02 01 00 04 03 45 43 4c a4. ↗
- →The vulnerability is only exploitable when the ip_nat_snmp_basic kernel module is loaded and SNMP traffic on port 161 or 162 is being NATed. Detection should focus on hosts acting as NAT gateways with this module active. ↗
- →The vulnerability was demonstrated using test cases from the PROTOS SNMP test suite; anomalous SNMP traffic patterns consistent with PROTOS fuzzing (malformed community strings, trap PDUs) should be flagged. ↗
- →The exploit uses raw IPv4 sockets (libnet_write_raw_ipv4) with a randomised source IP and source port, making source-based filtering ineffective; detection must be payload/destination-port based. ↗
- ·The vulnerability only affects Linux kernels before 2.6.16.18; systems running 2.6.16.18 or later are not vulnerable. ↗
- ·Exploitation requires the ip_nat_snmp_basic module to be loaded AND SNMP traffic to be actively NATed; systems not performing SNMP NAT are not at risk even on vulnerable kernel versions. ↗
CVSS provenance
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
vendor_redhat7.8HIGH
vendor_ubuntu6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2006-06-15·CVSS 6.9
CVE-2006-1856 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Linux kernel vulnerabilities
An integer overflow was discovered in the do_replace() function. A
local user process with the CAP_NET_ADMIN capability could exploit
this to execute arbitrary commands with full root privileges.
However, none of Ubuntu's supported packages use this capability with
any non-root user, so this only affects you if you use some third
party software like the OpenVZ virtualization system. (CVE-2006-0038)
On EMT64 CPUs, the kernel did not properly handle uncanonical return
addresses. A local user could exploit this to trigger a kernel crash.
(CVE-2006-0744)
Al Viro discovered a local Denial of Service in the sysfs write buffer
handling. By writing a block with a length exactly equal to the
processor's page size to any w
Red Hat
security flaw
vendor_redhat·2006-05-20·CVSS 7.8
CVE-2006-2444 [HIGH] security flaw
security flaw
The snmp_trap_decode function in the SNMP NAT helper for Linux kernel before 2.6.16.18 allows remote attackers to cause a denial of service (crash) via unspecified remote attack vectors that cause failures in snmp_trap_decode that trigger (1) frees of random memory or (2) frees of previously-freed memory (double-free) by snmp_trap_decode as well as its calling function, as demonstrated via certain test cases of the PROTOS SNMP test suite.
GHSA
GHSA-c9wr-fgjx-x6hj: The snmp_trap_decode function in the SNMP NAT helper for Linux kernel before 2
ghsa_unreviewed·2022-05-01
CVE-2006-2444 [HIGH] GHSA-c9wr-fgjx-x6hj: The snmp_trap_decode function in the SNMP NAT helper for Linux kernel before 2
The snmp_trap_decode function in the SNMP NAT helper for Linux kernel before 2.6.16.18 allows remote attackers to cause a denial of service (crash) via unspecified remote attack vectors that cause failures in snmp_trap_decode that trigger (1) frees of random memory or (2) frees of previously-freed memory (double-free) by snmp_trap_decode as well as its calling function, as demonstrated via certain test cases of the PROTOS SNMP test suite.
No detection rules found.
Bugzilla
CVE-2006-2444 security flaw
bugzilla·2018-08-16·CVSS 7.8
CVE-2006-2444 [HIGH] CVE-2006-2444 security flaw
CVE-2006-2444 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
The snmp_trap_decode function in the SNMP NAT helper for Linux kernel before 2.6.16.18 allows remote attackers to cause a denial of service (crash) via unspecified remote attack vectors that cause failures in snmp_trap_decode that trigger (1) frees of random memory or (2) frees of previously-freed memory (double-free) by snmp_trap_decode as well as its calling function, as demonstrated via certain test cases of the PROTOS SNMP test suite.
Bugzilla
Various kernel security issues - July thru October 2006
bugzilla·2006-07-24·CVSS 4.9
[MEDIUM] Various kernel security issues - July thru October 2006
Various kernel security issues - July thru October 2006
This bug will track the various kernel issues up to July 2006.
Discussion:
*** Bug 188935 has been marked as a duplicate of this bug. ***
---
*** Bug 190082 has been marked as a duplicate of this bug. ***
---
*** Bug 190083 has been marked as a duplicate of this bug. ***
---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here are updated kernel packages to QA for FC3:
* Sun Jul 16 2006 Marc Deslauriers
2.6.12-2.4.legacy_FC3
- - Added patches for:
CVE-2005-3359 (incorrect inrement/decrement in atm module)
CVE-2006-0555 (nfs: fix client panic using O_DIRECT)
CVE-2006-0741 (fix for ELF exec vulnerability on EM64T)
CVE-2006-0744 (fix for ELF exec vulnerability on EM64T)
CVE-2006-1525 (panic in ip_route_input() via inet_rtm_getro
Bugzilla
CVE-2006-2444 SNMP NAT netfilter memory corruption
bugzilla·2006-05-22·CVSS 7.8
CVE-2006-2444 [HIGH] CVE-2006-2444 SNMP NAT netfilter memory corruption
CVE-2006-2444 SNMP NAT netfilter memory corruption
The SNMP NAT helper netfilter can cause a memory corruption. The corruption can
be triggered remotely when the ip_nat_snmp_basic module is loaded and traffic on
port 161 or 162 is NATed.
Proposed upstream fix can be found here:
https://lists.netfilter.org/pipermail/netfilter-devel/2006-May/024422.html
Discussion:
Reapplying lost comment from [email protected] on 2006-06-12 15:14 EST:
Building a test kernel now. Once built I will run the kernel through RHTS.
---
The RHTS job has finished but with errors. The errors are not because of the
kernel. There were power outages in the RDU office that caused the tests to fail.
I will reschedule the RHTS jobs for S390 and ppc. All other arches have passed.
---
I am still trying to get the
Bugzilla
CVE-2006-2444 SNMP NAT netfilter memory corruption
bugzilla·2006-05-22·CVSS 7.8
CVE-2006-2444 [HIGH] CVE-2006-2444 SNMP NAT netfilter memory corruption
CVE-2006-2444 SNMP NAT netfilter memory corruption
The SNMP NAT helper netfilter can cause a memory corruption. The corruption can
be triggered remotely when the ip_nat_snmp_basic module is loaded and traffic on
port 161 or 162 is NATed.
Proposed upstream fix can be found here:
https://lists.netfilter.org/pipermail/netfilter-devel/2006-May/024422.html
Discussion:
Downgrading impact to moderate due to "unlikely configuration".
---
committed in stream E5 build 42.0.1
---
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not
Bugzilla
CVE-2006-2444 SNMP NAT netfilter memory corruption
bugzilla·2006-05-22·CVSS 7.8
CVE-2006-2444 [HIGH] CVE-2006-2444 SNMP NAT netfilter memory corruption
CVE-2006-2444 SNMP NAT netfilter memory corruption
The SNMP NAT helper netfilter can cause a memory corruption. The corruption can
be triggered remotely when the ip_nat_snmp_basic module is loaded and traffic on
port 161 or 162 is NATed.
Proposed upstream fix can be found here:
https://lists.netfilter.org/pipermail/netfilter-devel/2006-May/024422.html
Discussion:
patch is in, there doesn't look to be a way to reproduce the bug itself reliably.
---
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://r
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.18http://secunia.com/advisories/20182http://secunia.com/advisories/20225http://secunia.com/advisories/20716http://secunia.com/advisories/21035http://secunia.com/advisories/21136http://secunia.com/advisories/21179http://secunia.com/advisories/21498http://secunia.com/advisories/21605http://secunia.com/advisories/21983http://secunia.com/advisories/22082http://secunia.com/advisories/22093http://secunia.com/advisories/22174http://secunia.com/advisories/22822http://securitytracker.com/id?1016153http://support.avaya.com/elmodocs2/security/ASA-2006-180.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-203.htmhttp://www.debian.org/security/2006/dsa-1183http://www.debian.org/security/2006/dsa-1184http://www.kb.cert.org/vuls/id/681569http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git%3Ba=commit%3Bh=1db6b5a66e93ff125ab871d6b3f7363412cc87e8http://www.mandriva.com/security/advisories?name=MDKSA-2006:087http://www.novell.com/linux/security/advisories/2006_42_kernel.htmlhttp://www.novell.com/linux/security/advisories/2006_47_kernel.htmlhttp://www.novell.com/linux/security/advisories/2006_64_kernel.htmlhttp://www.osvdb.org/25750http://www.redhat.com/support/errata/RHSA-2006-0437.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0580.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0617.htmlhttp://www.securityfocus.com/bid/18081http://www.ubuntu.com/usn/usn-302-1http://www.vupen.com/english/advisories/2006/1916https://exchange.xforce.ibmcloud.com/vulnerabilities/26594https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11318http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.18http://secunia.com/advisories/20182http://secunia.com/advisories/20225http://secunia.com/advisories/20716http://secunia.com/advisories/21035http://secunia.com/advisories/21136http://secunia.com/advisories/21179http://secunia.com/advisories/21498http://secunia.com/advisories/21605http://secunia.com/advisories/21983http://secunia.com/advisories/22082http://secunia.com/advisories/22093http://secunia.com/advisories/22174http://secunia.com/advisories/22822http://securitytracker.com/id?1016153http://support.avaya.com/elmodocs2/security/ASA-2006-180.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-203.htmhttp://www.debian.org/security/2006/dsa-1183http://www.debian.org/security/2006/dsa-1184http://www.kb.cert.org/vuls/id/681569http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git%3Ba=commit%3Bh=1db6b5a66e93ff125ab871d6b3f7363412cc87e8http://www.mandriva.com/security/advisories?name=MDKSA-2006:087http://www.novell.com/linux/security/advisories/2006_42_kernel.htmlhttp://www.novell.com/linux/security/advisories/2006_47_kernel.htmlhttp://www.novell.com/linux/security/advisories/2006_64_kernel.htmlhttp://www.osvdb.org/25750http://www.redhat.com/support/errata/RHSA-2006-0437.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0580.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0617.htmlhttp://www.securityfocus.com/bid/18081http://www.ubuntu.com/usn/usn-302-1http://www.vupen.com/english/advisories/2006/1916https://exchange.xforce.ibmcloud.com/vulnerabilities/26594https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11318
2006-05-25
Published