Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon,  6 Apr 2015 12:29:05 -0400 (EDT)
From: cve-assign@...re.org
To: irl@...e.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Request CVE for LinuxNode - DoS vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> So, the questions are:
> 
> 1. Is the above reasonable, i.e., there was (at one time) ...

irl@...e.org sent us a confirmation without a Cc to oss-security.

The CVE mapping is:

> a single
> vulnerability affecting both node and URONode in which a client could
> use "quit" within telnet, and thereby cause the server to waste
> network bandwidth on a radio path

Use CVE-2015-2927. The known affected version of node (aka LinuxNode)
is 0.3.2 (for Debian, the "ax25-node" package name is associated with
the "node" source-package name). Within the URONode changelog, the
relevant entry is apparently "21/05/08 v1.0.5r3 ... I added a
quit_handler routine in the main loop which now will execute a
node_logout(), flush out the IPCs, log the event to syslog, and close
out the application properly."


> app fails to close and more can be spawned by a crafty malicious
> user thus bringing the system to a point of no memory available.

This does not have a CVE ID. The node software was not attempting to
defend against a scenario in which a single client user causes
arbitrarily many node processes to run on the server simultaneously.
The node software runs as a service under inetd (or a similar
program), and any related restrictions would ordinarily be part of the
inetd configuration. Lack of restrictions is a site-specific problem.

("crafty malicious user" means, for example: if a client were allowed
to have 100 simultaneous node processes, the malicious user could
choose a request timing that ensured that 100 processes were always
running.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVIrO0AAoJEKllVAevmvmsbXgIAJQdYhkCyxks3Js0ZhDkYkoJ
3ITLnWgGp92m/hcL92K/oRL3ZvZj2Ik7kwf/7YsllhQBgVjVwoPjr/c7MA40nbgo
1n/NFeFzrS3PM3ZivBk2wt9Gnc7mLG59P3Z9cR9oAGqhXqKOEodlRSaE1q8fHMFG
qm5Sj9AgHqhc4MDCIo+y/R/pSL0Ayiqzr3J8U9B+R+ls6JsY0co45r9OTtCShl+i
jazf4xFwNpkYo7VEx4zIIVd2DBUQm3XSqZT5kVdRp3pSf8MkM34E92POlptwKjNJ
PiXKMazkLspMwLs9j1WywFuub+XdrFWCWxXl9b83LqoTWcMGU7k3OcUZUqRNrFc=
=Jv34
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ