Bug ID 716140: Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors

Last Modified: Dec 18, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2

Opened: Apr 20, 2018

Severity: 3-Major

Symptoms

During daemon startup, the snmpd daemon zeroes out sensitive data in the snmpd.conf files. This is done so that passwords are not available to be read on disk. This can cause problems when other daemons using the net-snmp shared libraries access snmpd.conf files for data that they need during startup. If you have 'zeroed out' data under /config/net-snmp/snmpd.conf, the system reports 'Unsupported security level' errors in response to SNMP v3 query, for example: snmpget -v 3 -u testuser -a SHA -A "testuser" -x AES -X "testuser" -l authPriv localhost sysSystemUptime.0 snmpget: Unsupported security level (Sub-id not found: (top) -> sysSystemUptime)

Impact

Daemons usually start in an orderly fashion and usually do not conflict with each other. However, it is possible that they might fail to load correctly due to the zeroing out of data. For example this can cause SNMP v3 access errors for users with 'zeroed out' data under /config/net-snmp/snmpd.conf: snmpget -v 3 -u testuser -a SHA -A "testuser" -x AES -X "f5testuser" -l authPriv localhost sysSystemUptime.0. snmpget: Unsupported security level (Sub-id not found: (top) -> sysSystemUptime).

Conditions

Custom SNMP v3 users created and exist in /config/net-snmp/snmpd.conf 'zeroed out' data: Example from /config/net-snmp/snmpd.conf where user 'testuser' has some data that is 'zeroed out' (0x 0x): usmUser 1 3 0x80001f88808047605278d46d5b "testuser" "testuser" NULL .1.3.6.1.6.3.10.1.1.1 0x .1.3.6.1.6.3.10.1.2.1 0x 0x

Workaround

Use tmsh to configure SNMP users.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips