|
Message-ID: <20090415132450.79d7257f@redhat.com> Date: Wed, 15 Apr 2009 13:24:50 +0200 From: Tomas Hoger <thoger@...hat.com> To: OSS Security <oss-security@...ts.openwall.com> Cc: wietse@...cupine.org Subject: Some fun with tcp_wrappers Hi! During the QA of our net-snmp updates for CVE-2008-6123, some more problems were spotted related to the use of tcp_wrappers by net-snmp. More specifically, any hostname based rules in hosts.{allow,deny} were not honored when defined for snmpd. Further investigation showed that similar problem affects other applications calling hosts_ctl tcp_wrappers interface without providing a valid hostname. Bug report for this issue is: https://bugzilla.redhat.com/show_bug.cgi?id=491095 Even though such behavior of tcp_wrappers seems to be the intended one (also CCing Wietse if he wants to comment on this, but I believe tcp_wrappers are no longer maintained upstream), but it does not seem to be what applications using tcp_wrappers, or users of such applications are expecting. Additionally, tcp_wrappers as shipped in Red Hat Enterprise Linux 5 and all current Fedora versions include following patch for a while: http://cvs.fedoraproject.org/viewvc/rpms/tcp_wrappers/devel/tcp_wrappers-7.6-220015.patch It changes hosts_ctl to set up conversion functions to allow tcp_wrappers to do IP -> hostname resolution when needed. Therefore, even though this may not really be a tcp_wrappers flaw, we are planning to release updates for older RHEL versions including the change. This would address the problem for all affected applications, and doing DNS resolution on the tcp_wrappers side actually seems to be a better way to go (tcp_wrappers only resolve when needed based on the hosts access rules configured on the system, while resolution on the application side would have to be done for all hosts_ctl calls). Additionally, this fostered further research into nfs-utils' CVE-2008-4552. The way nfs-utils use tcp_wrappers is quite broken, resulting in various cases when hosts access rules are not honored according to the expectations of the system administrator, possibly allowing access when it should be denied. The problem should mostly affect (but is not limited to) setups with hostname based rules used (which are problematic anyway, as those are ignored during DNS outages). Details with rewrite of good_client can be found in: https://bugzilla.redhat.com/show_bug.cgi?id=458676 The good_client function used by nfs-utils is copied from the portmap sources, so portmap is affected by the same problem too. Additionally, other affected good_client copies / derived implementations can also be found in quota (with most problems no longer affecting current upstream version) and am-utils. Upstreams were notified, but have not replied yet. -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.