Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 15 Apr 2009 13:24:50 +0200
From: Tomas Hoger <>
To: OSS Security <>
Subject: Some fun with tcp_wrappers


During the QA of our net-snmp updates for CVE-2008-6123, some more
problems were spotted related to the use of tcp_wrappers by net-snmp.
More specifically, any hostname based rules in hosts.{allow,deny} were
not honored when defined for snmpd.  Further investigation showed that
similar problem affects other applications calling hosts_ctl
tcp_wrappers interface without providing a valid hostname.  Bug report
for this issue is:

Even though such behavior of tcp_wrappers seems to be the intended one
(also CCing Wietse if he wants to comment on this, but I believe
tcp_wrappers are no longer maintained upstream), but it does not seem
to be what applications using tcp_wrappers, or users of such
applications are expecting.  Additionally, tcp_wrappers as shipped in
Red Hat Enterprise Linux 5 and all current Fedora versions include
following patch for a while:

It changes hosts_ctl to set up conversion functions to allow
tcp_wrappers to do IP -> hostname resolution when needed.

Therefore, even though this may not really be a tcp_wrappers flaw, we
are planning to release updates for older RHEL versions including the
change.  This would address the problem for all affected applications,
and doing DNS resolution on the tcp_wrappers side actually seems to be
a better way to go (tcp_wrappers only resolve when needed based on the
hosts access rules configured on the system, while resolution on the
application side would have to be done for all hosts_ctl calls).

Additionally, this fostered further research into nfs-utils'
CVE-2008-4552.  The way nfs-utils use tcp_wrappers is quite broken,
resulting in various cases when hosts access rules are not honored
according to the expectations of the system administrator, possibly
allowing access when it should be denied.  The problem should mostly
affect (but is not limited to) setups with hostname based rules used
(which are problematic anyway, as those are ignored during DNS
outages).  Details with rewrite of good_client can be found in:

The good_client function used by nfs-utils is copied from the portmap
sources, so portmap is affected by the same problem too.  Additionally,
other affected good_client copies / derived implementations can also be
found in quota (with most problems no longer affecting current upstream
version) and am-utils.  Upstreams were notified, but have not replied

Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.