NET-SNMP-EXTEND-MIB::nsExtendCacheTime cannot be set anymore

By the way, here is another thread discussing about the similar issue.

https://sourceforge.net/p/net-snmp/mailman/net-snmp-users/thread/AB3D9027096B5848A262A13D45A88E680182CA87F7%40RISBCTMBXP007.risk.regn.net/#msg36715544

Hello and thanks for this bug report and for the pointer to the upstream commit implementing -cacheTime and -execType. I can see how those would bring the functionality back, however they can be considered "new features", which are rarely introduced with stable release updates, and with extra care. This will require some discussion.

[1] https://wiki.ubuntu.com/StableReleaseUpdates

Subscribing Leonidas who did the CVE fix and tagging regression-update.
Since the break is pushed to -security the fixup (if any) will need to land there as well.
Also he will have more experience in security fixes that suddenly make new features required to work around new limitations.

@Leonidas what is your advice how to go on here?

Hi,

Sorry for the inconvenient. We (security team) are/will analyze what would be a better solution here.

Also, would mind to provide detailed steps in how to reproduce this issue?

I wasn't so far able to reproduce it.

Hi,

Thanks for following up.
Here are steps to reproduce it.

1. Login to an Ubuntu 18 server.
e.g.

docker run --name ubuntu18 -it ubuntu:bionic

2. apt-get update

3. apt-get install snmp snmp-mibs-downloader snmpd
(5.7.3+dfsg-1.8ubuntu3.5 will be installed)

4. Use the following config:

cat << EOF > /etc/snmp/snmpd.conf
com2sec private localhost test
group readwrite v1 private

view all included .1 80
access readonly "" any noauth exact all none none
access readwrite "" any noauth exact all all none

extend unixtime /bin/date +%s
EOF

5. service snmpd start

6. Run tests

The following command to set cache time to -1 will fail:
snmpset -v1 -c test localhost 'NET-SNMP-EXTEND-MIB::nsExtendCacheTime."unixtime"' i -1

We can also observe that nsExtendCacheTime is still 5 seconds.
snmpwalk -v1 -c test localhost "NET-SNMP-EXTEND-MIB::nsExtendCacheTime"

And the following result will be cached for 5 seconds.
snmpwalk -v1 -c test localhost 'NET-SNMP-EXTEND-MIB::nsExtendOutLine."unixtime"'

7. Test another versions

apt-get install libsnmp30=5.7.3+dfsg-1.8ubuntu3 \
snmp=5.7.3+dfsg-1.8ubuntu3 \
snmpd=5.7.3+dfsg-1.8ubuntu3

pkill snmpd

Then, repeat steps 5, 6, it will success to change cache time to -1 and the result is not cached anymore, which is our expected behavior.

Let me know if you have any problem to reproduce the issue.

Hi azrle!

Thanks a lot for the detailed steps. I now could reproduce it. I'll issue a new update adding the feature flags that allow cachetime be set. Soon I have a tested version I reach you back.

A new version is available building in security-proposed: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages - 5.7.3+dfsg-1.8ubuntu3.6. It would be appreciate any tests on it.

Using the new flag -cacheTime is set in /etc/snmp/snmpd.conf , extend -cacheTime -1 ...
After restart snmpd run snmpwalk -v1 -c test localhost "NET-SNMP-EXTEND-MIB::nsExtendCacheTime" must show the value was set.

Issue was not reproducible in a VM, probably some issues with NIC. It was in a docker.

Thanks!

Thanks for the quick fix!

After some tests, I believe that 5.7.3+dfsg-1.8ubuntu3.6 will fix the issue.

This bug was fixed in the package net-snmp - 5.7.3+dfsg-1.8ubuntu3.6

---------------
net-snmp (5.7.3+dfsg-1.8ubuntu3.6) bionic-security; urgency=medium

  * SECURITY REGRESSION: The update for CVE-2020-15862 making mib extend
    read-only caused nsExtendCacheTime to be not setable anymore (LP: #1892980)
    - debian/patches/CVE-2020-15862-bug1893465.patch: add -cacheTime and
      -execType flags to "extend" config directive in
      agent/mibgroup/agent/extend.c, man/snmpd.conf.5.def.

 -- <email address hidden> (Leonidas S. Barbosa) Fri, 28 Aug 2020 17:14:41 -0300

This bug was fixed in the package net-snmp - 5.7.3+dfsg-1ubuntu4.6

---------------
net-snmp (5.7.3+dfsg-1ubuntu4.6) xenial-security; urgency=medium

  * SECURITY REGRESSION: The update for CVE-2020-15862 making mib extend
    read-only caused nsExtendCacheTime to be not setable anymore (LP: #1892980)
    - debian/patches/CVE-2020-15862-bug1893465.patch: add -cacheTime and
      -execType flags to "extend" config directive in
      agent/mibgroup/agent/extend.c, man/snmpd.conf.5.def.

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 31 Aug 2020 09:46:19 -0300