When adding a SNMPv3 user according the formula:
rwusers:
- username: '<user>'
authpassphrase: '<authpassphrase>'
view: all
authproto: 'SHA'
privproto: 'AES'
privpassphrase: '<privpassphrase>'
The formula adds two lines to the snmpd.conf file:
rwuser <user> auth -V all
createUser <user> SHA <authpassphrase> AES <privpassphrase>
The last line is what causes the security issue.
When adding an SNMPv3 user by using net-snmp-create-v3-user the first line is added in the file snmpd.conf file located in /etc/snmp/snmpd. The second line is added in another file snmpd.conf file located in: /var/lib/net-snmp/.
When the line is read from the snmpd.conf file located in /var/lib/net-snmp/, the line is removed (eliminating the storage of the master password for that user) and replaced with the key that is derived from it.
Source: man page snmpd.conf
In the current situation, the formula adds the createUser line in the snmpd.conf file located in /etc/snmp/. Therefore the line will not be removed and the passwords are visible to anyone that can access that snmpd.conf file.
When adding a SNMPv3 user according the formula:
The formula adds two lines to the snmpd.conf file:
The last line is what causes the security issue.
When adding an SNMPv3 user by using net-snmp-create-v3-user the first line is added in the file snmpd.conf file located in /etc/snmp/snmpd. The second line is added in another file snmpd.conf file located in: /var/lib/net-snmp/.
When the line is read from the snmpd.conf file located in /var/lib/net-snmp/, the line is removed (eliminating the storage of the master password for that user) and replaced with the key that is derived from it.
Source: man page snmpd.conf
In the current situation, the formula adds the createUser line in the snmpd.conf file located in /etc/snmp/. Therefore the line will not be removed and the passwords are visible to anyone that can access that snmpd.conf file.