Vulnerability Summary

Vulnerability Description

The snmptrapd service is used to receive SNMP trap notifications from network devices such as routers, switches, and firewalls. These traps are essentially automated alerts that devices send when specific events occur—for example, when a network interface goes down, hardware temperatures exceed thresholds, or other monitored conditions are triggered.

The problem is that snmptrapd does not properly validate the size of incoming data before copying it into memory. If the service receives a specially crafted SNMP trap containing oversized fields, it attempts to copy that data into a fixed-size buffer on the stack without performing proper bounds checking. This results in a classic stack-based buffer overflow.

Because the stack contains sensitive control data, including return addresses that determine program execution flow, overwriting this memory allows an attacker to interfere with how the application runs. Depending on how the malicious payload is constructed, this can lead to either a complete crash of the service or successful execution of attacker-controlled code on the target system.

Root Cause

At its core, this vulnerability is caused by missing input validation. When snmptrapd parses incoming SNMP trap messages, it reads length values from the packet to determine how much data should be processed. Unfortunately, these length values are trusted blindly, with no verification that they fall within the bounds of the allocated buffer.

In practical terms, the code effectively does something along the lines of “copy X bytes from the network into this buffer” without first checking whether the buffer can actually hold X bytes. This is a well-known and long-standing programming error that should have been caught during development, testing, or code review.

How This Could Be Exploited

To exploit this issue, an attacker only needs network access to UDP port 162, which is where snmptrapd listens for incoming traps. No authentication or credentials are required, since SNMP trap receivers are typically configured to accept messages from any source.

A typical attack scenario would look like this:

1. The attacker scans the target environment and identifies a system running snmptrapd by detecting an open UDP port 162
2. They craft a malicious SNMP trap packet with certain length fields set to abnormally large values
3. The crafted packet is sent to the target system over UDP
4. snmptrapd attempts to parse the packet and copies the oversized data into a stack buffer
5. The overflow overwrites adjacent memory, including return addresses
6. The service either crashes (causing a denial of service) or executes attacker-controlled code if the payload is correctly constructed

What makes this particularly dangerous is that snmptrapd commonly runs with root privileges, since binding to port 162 requires elevated permissions. As a result, successful exploitation often leads directly to full root-level access on the affected system.

MITRE ATT&CK Mapping

Proof of Concept

While fully weaponized exploits are not yet widely available in public repositories, this vulnerability has been confirmed through controlled testing. The exploitation technique itself is well understood—stack-based buffer overflows have been studied and abused for decades, and the underlying methods are thoroughly documented.

A basic proof of concept would involve creating an SNMP trap packet in which the variable binding (varbind) section contains manipulated length values. When these values exceed what the snmptrapd parser expects, the overflow occurs during the packet decoding process.

A simplified representation of the PoC packet structure would look like this:

[SNMP Header] +
[Community String] +
[Trap PDU] +
[Oversized Varbind Data] +
[Return Address Overwrite] +
[Shellcode/ROP Chain]

Given how straightforward this class of vulnerability is, it is reasonable to expect functional exploits to emerge once technical details become more broadly known.

Detection Methods

What to Look For

Network Level

• SNMP trap packets exceeding 1000 bytes in size (legitimate traps are typically under 500 bytes)
• Sudden or unusual spikes in UDP traffic targeting port 162
• SNMP traffic originating from unexpected or external IP addresses
• Repeated attempts to send packets to port 162 from the same source over a short period of time

Host Level

• snmptrapd crashing or restarting unexpectedly
• Segmentation fault messages in syslog referencing snmptrapd
• Core dump files generated by the snmptrapd process
• Unusual child processes spawned by snmptrapd
• Outbound network connections initiated by snmptrapd (it should only receive data, not initiate connections)

Detection Rules

Microsoft Sentinel (KQL)

Syslog
| where TimeGenerated > ago(24h)
| where ProcessName == "snmptrapd" or SyslogMessage contains "snmptrapd"
| where SyslogMessage has_any ("segfault", "SIGSEGV", "core dumped", "terminated", "signal 11", "killed")
| extend CrashIndicator = case(
    SyslogMessage has "segfault", "Memory Corruption",
    SyslogMessage has "core dumped", "Service Crash",
    SyslogMessage has "signal 11", "Segmentation Fault",
    "Unknown"
)
| project TimeGenerated, Computer, SyslogMessage, CrashIndicator
| order by TimeGenerated desc

Splunk (SPL)

index=linux sourcetype=syslog (process="snmptrapd" OR "snmptrapd")
| search ("segfault" OR "SIGSEGV" OR "core dumped" OR "terminated" OR "signal 11")
| eval crash_type=case(
    match(message, "segfault"), "Memory Corruption",
    match(message, "core dumped"), "Service Crash",
    match(message, "signal 11"), "Segmentation Fault",
    true(), "Unknown"
)
| table _time host source message crash_type
| sort -_time

Required Log Sources

• Syslog – Detects service crashes and segmentation faults
• Firewall / UTM Logs – Monitors UDP 162 traffic patterns and packet sizes
• Auditd – Tracks process execution and system calls originating from snmptrapd
• IDS / IPS – Identifies malformed or suspicious SNMP packets
• EDR Telemetry – Monitors child processes and network activity from snmptrapd

Remediation

Immediate Steps

• Identify affected systems

ps aux | grep snmptrapd && netstat -ulnp | grep :162

• Verify installed version

snmptrapd -v   # or: rpm -q net-snmp / dpkg -l net-snmp

• Restrict access by blocking external traffic to UDP port 162 at the firewall level
• Disable the service entirely if SNMP traps are not actively required

Permanent Fix

Upgrade Net-SNMP to version 5.9.5 or later, which includes the fix for this buffer overflow vulnerability.

Official Patch

Bottom Line

This is a high-risk vulnerability that should be addressed as a priority. It combines network exposure, lack of authentication, and the potential for root-level code execution, making it an attractive target for attackers. On top of that, successful exploitation can disable monitoring and alerting systems, further increasing overall risk.

Systems exposed to untrusted networks should be patched first. For internal environments, firewall rules should be put in place to restrict which hosts are allowed to send SNMP traps while patching efforts are underway.