NULL Pointer Exception bug that can be used by a remote attacker

Brocade Fabric OS

2 more products

22770

07 November 2023

07 November 2023

CLOSED

LOW

6.5

CVE-2022-44793

Brocade Security Advisory ID

BSA-2023-2136

Component

Net-SNMP

 

 

Summary

handle_ipv6IpForwarding in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.4.3 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.

 

Products Confirmed Not Affected

Brocade Fabric OS

  • All versions of Brocade Fabric OS contain the vulnerable version of Net-SNMP, however, Brocade Fabric OS is not affected as the ipv6lpForwarding object is not used within Brocade Fabric OS.  Brocade Fabric OS is not affected.  VEX code: Vulnerable_code_not_in_execute_path

Brocade SANnav and Brocade ASCG

  • Brocade SANnav and Brocade ASCG products do not use Net-SNMP and are not affected.  VEX code: Vulnerable_code_not_in_execute_path.   However, the underlying OS used by the SANnav OVA release version v2.3.0 and the ASCG OVA versions prior to v3.0 both contain the vulnerable code.  While this code is not enabled, a privileged user on the server where the SANnav or ASCG product is installed could access this code.

 

Solution

While Brocade ASCG is not affected, an update was provided in the OVA release of Brocade ASCG v3.0 to addresses any potential risk from a privileged user on the server where the ASCG product is installed

While Brocade SANnav is not affected, the Net-SNMP code will be removed from future releases of SANnav to remove any potential risk from a privileged user on the server where the SANnav product is installed.

 

 

 

Revision History

Version

Change

Date

1.0

Initial Publication

November 7, 2023

 

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.