Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 30 Apr 2016 11:52:50 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE Request: vtun: denial-of-service: high CPU usage after SIGHUP

Hi,

On Wed, Apr 27, 2016 at 05:58:00PM -0400, cve-assign@...re.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> > https://bugs.debian.org/818489
> 
> Can you describe how this crosses a privilege boundary?
> 
> 
> >> When you send a SIGHUP to a vtun client process and it cannot connects
> >> to the remote server, vtun try to reconnect without sleep between each attempt.
> >> In result, the vtun process uses lot of CPU, and write to syslog without limit.
> 
> Is there an important way in which this differs from "The vtun client
> is not installed. The attacker simply writes their own program to
> reconnect without sleeping and make many syslog calls"?
> 
> For example: does vtun's resource consumption belong to the root
> account in a common scenario, but SIGHUP is accepted from an
> unprivileged user? Are different unprivileged users successfully
> sending SIGHUP to one another's vtun client processes? Do you mean
> that there's a potentially common attack pattern in which a
> man-in-the-middle attacker intentionally blocks connections to the
> remote server in order to trick the victim into sending a SIGHUP, and
> (in some sense) this man-in-the-middle attacker is thereby able to
> trigger the excessive resource consumption?
> 
> Sometimes there are CVE IDs for "a client application inadvertently
> starts launching a network DoS attack" but this is typically only in
> cases where someone can send forged packets to the client application
> in order to start the attack.

You are right -- I cannot think of a situation (or seems hard to find
a realistic example) right now where this issue would cross a
privilege boundary, and thus might just be considered as bug, but not
a vulnerability.

Thanks for your feedback, I'm fine to not have assigned an identifier
for this.

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.