Date: Mon, 06 Jun 2011 18:51:37 +0200 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security@...ts.openwall.com, Chris Evans <scarybeasts@...il.com>, Greg KH <greg@...ah.com>, Kees Cook <kees@...ntu.com> Subject: Re: CVE Request -- vsftpd -- Do not create network namespace per connection On 06/06/2011 06:19 PM, Jan Lieskovsky wrote: > Hello, Josh, Steve, vendors, > > It was found that vsftpd, Very Secure FTP daemon, when the network > namespace (CONFIG_NET_NS) support was activated in the kernel, used to > create a new network namespace per connection. A remote attacker could > use this flaw to cause a memory pressure and denial of the vsftpd > service. Just to correct / tune up the impact a bit yet: "A remote attacker could use this flaw to cause memory pressure (kernel OOM killer protection mechanism to be activated and potentially terminate vsftpd or arbitrary [vsftpd independent] process, which satisfied the OOM killer process selection algorithm)." Based on record of apache2 process termination in: https://launchpadlibrarian.net/64456173/dmesg-oom.32.txt Thanks to Petr Matousek for pointing this out. Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team > > References: >  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629373 >  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/720095 >  https://bugzilla.redhat.com/show_bug.cgi?id=711134 > > This one being a bit tricky one -- from my understanding of the issue, > vsftpd doesn't necessarily have a security flaw on its side. It's > kernel issue / bug, which allows this to be used for vsftpd DoS: >  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/720095/comments/31 >  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/720095/comments/32 > > Short-term solution would be probably to address this on the vsftpd > side, the long-term one then being to get this fixed in kernel. > > Though not sure, how it would be wrt to CVE identifier(s) assignment. > > Steve, could you advice here? > > Thank you & Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.