Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 16 Jan 2014 23:26:52 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: imapsync default version check with,http://imapsync.lamiral.info
 information leakage (CVE-2013-4279)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

imapsync http://imapsync.lamiral.info/

Title: imapsync default version check with
http://imapsync.lamiral.info information leakage (CVE-2013-4279)

Threat: Availability: no timeout so an attacker simply sends a slow
response
Threat: Confidentiality: connects to http://imapsync.lamiral.info and
sends version # and operating system name and person version

Impact: Moderate (Medium)
CVSS2: 6.4/AV:N/AC:L/Au:N/C:P/I:P/A:P

Affected: imapsync version 1.580 and earlier

Description: By default imapsync runs a "release check" when executed,
this causes imapsync to connect to http://imapsync.lamiral.info and
send information about the version of imapsync, the operating system
and perl.

This feature is not well documented. It is enabled by default. The
only hint it exists is the "--noreleasecheck" which is not documented
anywhere other then running the program with the help option.

Affected code:

sub imapsync_version_public {
    my $local_version = imapsync_version();
	my $imapsync_basename = imapsync_basename();
    my $agent_info = "$OSNAME system, perl "
		. sprintf("%vd", $PERL_VERSION)
        . ", Mail::IMAPClient $Mail::IMAPClient::VERSION"
        . " $imapsync_basename";
    my $sock = IO::Socket::INET->new(
        PeerAddr => 'imapsync.lamiral.info',
        PeerPort => '80',
		Proto => 'tcp'
        ) ;
	return( 'unknown' ) if not $sock ;
    print $sock
        "GET /prj/imapsync/VERSION HTTP/1.0\n",
        "User-Agent: imapsync/$local_version ($agent_info)\n",
        "Host: ks.lamiral.info\n\n";
    my @line = <$sock>;
    close($sock);
	my $last_release = $line[-1];
    chomp($last_release);
    return($last_release);
}

Suggested solution:

1) $releasecheck should be changed to default to 0 (False) and convert
- --noreleasecheck to --releasecheck
2) this feature should use HTTPS to prevent information leakage to
attackers
3) or disable this feature entirely

Workaround:

Make sure you also use --noreleasecheck when running imapsync (maybe
alias the full command?).

Timeline:

2013-Aug-22: notified upstream vendor at gilles.lamiral@...oste.net
2014-Jan-16: public release (what can I say, I got busy).

External links:
Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=1000215

I can also handle notifying all the other vendors no problem via
distros@ list.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJS2M0sAAoJEBYNRVNeJnmT7rAP/jk813TQ7pJJ/zNQu01ZQpCq
S7GXDAz6YsbprkoPDmaPGduCS7czsBXXJQKQWQfn25nJGGVdNeMOtD2PPfe22CT8
A4ZfwG9J8Rnc7THrkSqBD1Bn/IRmcaLqA/D+5RyFm3AhvDpq4MXCBti9f8Jq4m98
YTISjfjEIX1dctVWXZe/6uh+d3T1/pO1R0WlIawcnzVfzPZVtTlSXjddshHPUijM
C/xZkA79s3nFS3Ec9Sg4Nei3Jttmm4K4tBZmNA5zUh6cMQKRDMJe9HBxaJ6hGoW7
Mm1A2fjRswFP+bVtgmZ7yvp6IniBEFky10TmRvqOWvD30azSlXFOcgGXyCBAhGDz
Zs/R54LoAQY+22veBcdEK9CPKhv6GPrIEVLEsRdi2y1d9BEhTkVu39lfHGX4tjIG
zPoye1L2TCBbjgEdNhf2c/NejBeW4HyxbsEo2zlZyBeDzzT6p5OqFrmTdSuBlszP
wA9euuoKmt/2FnL17b9E/pco9ph1iIRZjRP88L8wvBGg96danuLJT6NfOIFi+h7R
euW2P7lHQ9aPiE+vOMkahh6SSD4y7s4jmnxi5ng9NHODecl3/K/rlFg92AeV52L9
xlgPvTqUlVdZtRkO6okbw1Vv33OBUMqXhxJS/FLvp5+walpiNMwFGLDWPLJjUju2
erqpozG+5DNAnSSagpPy
=qhx7
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ