Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 13 Mar 2014 15:40:02 -0400 (EDT)
Subject: Re: CVE-Request - pen issues

Hash: SHA1

> webfile = "/tmp/webfile.html";

> 2> /tmp/penctl.cgi

Use CVE-2014-2387 for both issues involving files in the /tmp directory.

>     3.  When a control-socket is configured (via "-C ip:port" added
>        to the pen command line) a user who can connect to that port
>        can

> there is no documentation implying that using a control-socket is
> dangerous.

> pen.1
> -C \fIport\fR
> Specifies a control port where the load balancer listens for commands.

This seems to be an opportunity for security improvement, not a
vulnerability. It appears that the design goal was to listen for
commands in a way that could be acceptable on a server with
sufficiently restricted access, and not acceptable in arbitrary
environments. "port where the load balancer listens for commands" seems
sufficiently descriptive for a reasonable person to immediately wonder
who can send commands. Furthermore, the example in question:

  sudo pen 4444 localhost:9000 -C

suggests that the person is aware that "a control port" means a TCP
port, not some other type of port with obvious permission-based
restrictions. A CVE assignment could be made if there were an
implementation error (e.g., the user specifies listening on
but the code actually listens on all interfaces). A CVE assignment
might also be possible for some types of design problems, but they'd
need to be considerably more surprising and the documentation would
need to be considerably more misleading.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ