Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 10 May 2012 11:08:52 +0400
From: Solar Designer <>
Subject: Re: CVE-2012-0862 assignment notification: xinetd enables unintentional services over tcpmux port

On Wed, May 09, 2012 at 05:31:25PM +0200, Stefan Cornelius wrote:
> Thomas Swan of FedEx reported a service disclosure flaw in xinetd.
> xinetd allows for services to be configured with the TCPMUX or
> TCPMUXPLUS service types, which makes those services available on port
> 1, as per RFC 1078 [1], if the tcpmux-server service is enabled.  When
> the tcpmux-server service is enabled, xinetd would expose _all_ enabled
> services via the tcpmux port, instead of just the configured service(s).
> This could allow a remote attacker to bypass firewall restrictions and
> access services via the tcpmux port.
> In order for enabled services handled by xinetd to be exposed via the
> tcpmux port, the tcpmux-server service must be enabled (by default it is
> disabled).
> This has been assigned CVE-2012-0862.

This is now reported fixed in xinetd 2.3.15.  From xinetd-2.3.15/CHANGELOG:

        If the address we're binding to is a multicast address, do the
                multicast join.
        Merge the Fedora patch to turn off libwrap processing on tcp
                rpc services. Patch xinetd-2.3.12-tcp_rpc.patch.
        Merge the Fedora patch to add labeled networking.
                Patch xinetd-2.3.14-label.patch r1.4.
        Merge the Fedora patch to fix getpeercon() for labeled networking
                in MLS environments.
                Patch xinetd-2.3.14-contextconf.patch r1.1
        Merge the Fedora patch for int->ssize_t.
                Patch xinetd-2.3.14-ssize_t.patch r1.1
                Some modifications to this patch were necessary.
        Change compiler flags, -Wconversion generates excessive and
                unnecessary warnings with gcc, particularly all
                cases of ntohs(uint16_t).
                Additionally add -Wno-unused to prevent unnecessary
                warnings regarding unused function parameters when
                the function is a callback conforming to a standard
        Change version number to 2.3.15devel, indicating an interim
                developmental source snapshot.
        Merge patch from Thomas Swan regarding CVE-2012-0862

SHA-256 of xinetd-2.3.15.tar.gz that I just downloaded is
Unfortunately, there's no signature.

While we're at it, if anyone cares about these xinetd builtin services
and their issues (and it seems so), I think xinetd 2.3.14+ dropping
bad_port_check() is also a vulnerability that distros need to patch.
We do:

(haven't updated to 2.3.15 yet, but that patch will stay the same - it
merely re-introduces the checks that existed in 2.3.13 and below).


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.