Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 15 Apr 2009 08:07:42 -0400 (EDT)
From: wietse@...cupine.org (Wietse Venema)
To: Tomas Hoger <thoger@...hat.com>
CC: OSS Security <oss-security@...ts.openwall.com>, wietse@...cupine.org
Subject: Re: Some fun with tcp_wrappers

Tomas Hoger:
> Hi!
> 
> During the QA of our net-snmp updates for CVE-2008-6123, some more
> problems were spotted related to the use of tcp_wrappers by net-snmp.
> More specifically, any hostname based rules in hosts.{allow,deny} were
> not honored when defined for snmpd.  Further investigation showed that
> similar problem affects other applications calling hosts_ctl
> tcp_wrappers interface without providing a valid hostname.  Bug report
> for this issue is:
>   https://bugzilla.redhat.com/show_bug.cgi?id=491095

If some applications mis-use the library API then that is really
unfortunate.

Changing the library to work around application bugs is a BAD idea.
It helps only one platform and complicates cross-platform software
that does play by the rules.

I would recommend fixing applications that mis-use the library API.
To encourage application developers, the library could log a warning
and return a DENY result for improper calls such as a zero-length
hostname or address argument.

	Wietse

> Even though such behavior of tcp_wrappers seems to be the intended one
> (also CCing Wietse if he wants to comment on this, but I believe
> tcp_wrappers are no longer maintained upstream), but it does not seem
> to be what applications using tcp_wrappers, or users of such
> applications are expecting.  Additionally, tcp_wrappers as shipped in
> Red Hat Enterprise Linux 5 and all current Fedora versions include
> following patch for a while:
> 
> http://cvs.fedoraproject.org/viewvc/rpms/tcp_wrappers/devel/tcp_wrappers-7.6-220015.patch
> 
> It changes hosts_ctl to set up conversion functions to allow
> tcp_wrappers to do IP -> hostname resolution when needed.
> 
> Therefore, even though this may not really be a tcp_wrappers flaw, we
> are planning to release updates for older RHEL versions including the
> change.  This would address the problem for all affected applications,
> and doing DNS resolution on the tcp_wrappers side actually seems to be
> a better way to go (tcp_wrappers only resolve when needed based on the
> hosts access rules configured on the system, while resolution on the
> application side would have to be done for all hosts_ctl calls).
> 
> Additionally, this fostered further research into nfs-utils'
> CVE-2008-4552.  The way nfs-utils use tcp_wrappers is quite broken,
> resulting in various cases when hosts access rules are not honored
> according to the expectations of the system administrator, possibly
> allowing access when it should be denied.  The problem should mostly
> affect (but is not limited to) setups with hostname based rules used
> (which are problematic anyway, as those are ignored during DNS
> outages).  Details with rewrite of good_client can be found in:
>   https://bugzilla.redhat.com/show_bug.cgi?id=458676
> 
> The good_client function used by nfs-utils is copied from the portmap
> sources, so portmap is affected by the same problem too.  Additionally,
> other affected good_client copies / derived implementations can also be
> found in quota (with most problems no longer affecting current upstream
> version) and am-utils.  Upstreams were notified, but have not replied
> yet.
> 
> -- 
> Tomas Hoger / Red Hat Security Response Team
> 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.