Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Thu, 10 May 2012 11:08:52 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: thomas.swan@...il.com, bbraun@...ack.net
Subject: Re: CVE-2012-0862 assignment notification: xinetd enables unintentional services over tcpmux port

On Wed, May 09, 2012 at 05:31:25PM +0200, Stefan Cornelius wrote:
> Thomas Swan of FedEx reported a service disclosure flaw in xinetd.
> xinetd allows for services to be configured with the TCPMUX or
> TCPMUXPLUS service types, which makes those services available on port
> 1, as per RFC 1078 [1], if the tcpmux-server service is enabled.  When
> the tcpmux-server service is enabled, xinetd would expose _all_ enabled
> services via the tcpmux port, instead of just the configured service(s).
> This could allow a remote attacker to bypass firewall restrictions and
> access services via the tcpmux port.
> 
> In order for enabled services handled by xinetd to be exposed via the
> tcpmux port, the tcpmux-server service must be enabled (by default it is
> disabled).
> 
> This has been assigned CVE-2012-0862.

This is now reported fixed in xinetd 2.3.15.  From xinetd-2.3.15/CHANGELOG:

2.3.15
        If the address we're binding to is a multicast address, do the
                multicast join.
        Merge the Fedora patch to turn off libwrap processing on tcp
                rpc services. Patch xinetd-2.3.12-tcp_rpc.patch.
        Merge the Fedora patch to add labeled networking.
                Patch xinetd-2.3.14-label.patch r1.4.
        Merge the Fedora patch to fix getpeercon() for labeled networking
                in MLS environments.
                Patch xinetd-2.3.14-contextconf.patch r1.1
        Merge the Fedora patch for int->ssize_t.
                Patch xinetd-2.3.14-ssize_t.patch r1.1
                Some modifications to this patch were necessary.
        Change compiler flags, -Wconversion generates excessive and
                unnecessary warnings with gcc, particularly all
                cases of ntohs(uint16_t).
                http://gcc.gnu.org/bugzilla/show_bug.cgi?id=6614
                Additionally add -Wno-unused to prevent unnecessary
                warnings regarding unused function parameters when
                the function is a callback conforming to a standard
                interface.
        Change version number to 2.3.15devel, indicating an interim
                developmental source snapshot.
        Merge patch from Thomas Swan regarding CVE-2012-0862

SHA-256 of xinetd-2.3.15.tar.gz that I just downloaded is
bf4e060411c75605e4dcbdf2ac57c6bd9e1904470a2f91e01ba31b50a80a5be3.
Unfortunately, there's no signature.

While we're at it, if anyone cares about these xinetd builtin services
and their issues (and it seems so), I think xinetd 2.3.14+ dropping
bad_port_check() is also a vulnerability that distros need to patch.
We do:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/xinetd/xinetd-2.3.14-up-revert-bad_port_check.diff?rev=1.1

(haven't updated to 2.3.15 yet, but that patch will stay the same - it
merely re-introduces the checks that existed in 2.3.13 and below).

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ