Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20150406162905.A1E646C0077@smtpvmsrv1.mitre.org>
Date: Mon,  6 Apr 2015 12:29:05 -0400 (EDT)
From: cve-assign@...re.org
To: irl@...e.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Request CVE for LinuxNode - DoS vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> So, the questions are:
> 
> 1. Is the above reasonable, i.e., there was (at one time) ...

irl@...e.org sent us a confirmation without a Cc to oss-security.

The CVE mapping is:

> a single
> vulnerability affecting both node and URONode in which a client could
> use "quit" within telnet, and thereby cause the server to waste
> network bandwidth on a radio path

Use CVE-2015-2927. The known affected version of node (aka LinuxNode)
is 0.3.2 (for Debian, the "ax25-node" package name is associated with
the "node" source-package name). Within the URONode changelog, the
relevant entry is apparently "21/05/08 v1.0.5r3 ... I added a
quit_handler routine in the main loop which now will execute a
node_logout(), flush out the IPCs, log the event to syslog, and close
out the application properly."


> app fails to close and more can be spawned by a crafty malicious
> user thus bringing the system to a point of no memory available.

This does not have a CVE ID. The node software was not attempting to
defend against a scenario in which a single client user causes
arbitrarily many node processes to run on the server simultaneously.
The node software runs as a service under inetd (or a similar
program), and any related restrictions would ordinarily be part of the
inetd configuration. Lack of restrictions is a site-specific problem.

("crafty malicious user" means, for example: if a client were allowed
to have 100 simultaneous node processes, the malicious user could
choose a request timing that ensured that 100 processes were always
running.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVIrO0AAoJEKllVAevmvmsbXgIAJQdYhkCyxks3Js0ZhDkYkoJ
3ITLnWgGp92m/hcL92K/oRL3ZvZj2Ik7kwf/7YsllhQBgVjVwoPjr/c7MA40nbgo
1n/NFeFzrS3PM3ZivBk2wt9Gnc7mLG59P3Z9cR9oAGqhXqKOEodlRSaE1q8fHMFG
qm5Sj9AgHqhc4MDCIo+y/R/pSL0Ayiqzr3J8U9B+R+ls6JsY0co45r9OTtCShl+i
jazf4xFwNpkYo7VEx4zIIVd2DBUQm3XSqZT5kVdRp3pSf8MkM34E92POlptwKjNJ
PiXKMazkLspMwLs9j1WywFuub+XdrFWCWxXl9b83LqoTWcMGU7k3OcUZUqRNrFc=
=Jv34
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.