cbcvebase.
CVE-2015-5621
published 2015-08-19

CVE-2015-5621: The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and earlier does not remove the varBind variable in a netsnmp_variable_list item when parsing of…

PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
40.00%
98.4th percentile
The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and earlier does not remove the varBind variable in a netsnmp_variable_list item when parsing of the SNMP PDU fails, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet.

Affected

7 ranges
VendorProductVersion rangeFixed in
debiannet-snmp< net-snmp 5.7.3+dfsg-1.1 (bookworm)net-snmp 5.7.3+dfsg-1.1 (bookworm)
net-snmpnet-snmp<= 5.7.2
net-snmpnet-snmp>= 0 < 5.7.3+dfsg-1.15.7.3+dfsg-1.1
net-snmpnet-snmp>= 0 < 5.7.3+dfsg-1.15.7.3+dfsg-1.1
net-snmpnet-snmp>= 0 < 5.7.3+dfsg-1.15.7.3+dfsg-1.1
net-snmpnet-snmp>= 0 < 5.7.3+dfsg-1.15.7.3+dfsg-1.1
net-snmpnet-snmp>= 0 < 5.7.2~dfsg-8.1ubuntu3.15.7.2~dfsg-8.1ubuntu3.1

Detection & IOCsextracted from sources · hover to see the quote

port161/UDP
urlhttps://sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d
  • Monitor for crafted SNMP PDU packets sent to UDP port 161 that trigger parse failures in snmp_pdu_parse() within snmp_api.c; the vulnerability leaves incompletely parsed varBind variables in the variable list, which can be detected by ASAN SIGSEGV crashes in snmpd.
  • Alert on snmpd process crashes (SIGSEGV / ABORTING) originating from table_container.c _set_key function, which is the observed crash point in the PoC exploit.
  • The PoC exploit uses SNMP community string 'public' (base64-encoded as 'cHVibGlj' within the payload). Detect anomalous SNMP GET/SET requests using the default 'public' community string with malformed PDU structure.
  • It was discovered that the snmp_pdu_parse() function could leave incompletely parsed varBind variables in the list of variables. A remote, unauthenticated attacker could use this flaw to crash snmpd.
  • ·The vulnerability is exploitable without authentication (unauthenticated remote attacker) for CVE-2015-5621; however, the PoC exploit for the related second bug requires knowledge of the SNMP community string.
  • ·Disabling SNMP entirely on affected devices fully mitigates CVE-2015-5621; alternatively, restrict access to Port 161/UDP via firewall or ACL.
  • ·net-snmp versions 5.7.2 and earlier are vulnerable; the fix was committed to version control but not publicly disclosed until later. Ensure upgrade to a patched version (5.7.3+dfsg-1.1 or later on Debian-based systems).

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.