Date: Thu, 10 May 2012 11:08:52 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: thomas.swan@...il.com, bbraun@...ack.net Subject: Re: CVE-2012-0862 assignment notification: xinetd enables unintentional services over tcpmux port On Wed, May 09, 2012 at 05:31:25PM +0200, Stefan Cornelius wrote: > Thomas Swan of FedEx reported a service disclosure flaw in xinetd. > xinetd allows for services to be configured with the TCPMUX or > TCPMUXPLUS service types, which makes those services available on port > 1, as per RFC 1078 , if the tcpmux-server service is enabled. When > the tcpmux-server service is enabled, xinetd would expose _all_ enabled > services via the tcpmux port, instead of just the configured service(s). > This could allow a remote attacker to bypass firewall restrictions and > access services via the tcpmux port. > > In order for enabled services handled by xinetd to be exposed via the > tcpmux port, the tcpmux-server service must be enabled (by default it is > disabled). > > This has been assigned CVE-2012-0862. This is now reported fixed in xinetd 2.3.15. From xinetd-2.3.15/CHANGELOG: 2.3.15 If the address we're binding to is a multicast address, do the multicast join. Merge the Fedora patch to turn off libwrap processing on tcp rpc services. Patch xinetd-2.3.12-tcp_rpc.patch. Merge the Fedora patch to add labeled networking. Patch xinetd-2.3.14-label.patch r1.4. Merge the Fedora patch to fix getpeercon() for labeled networking in MLS environments. Patch xinetd-2.3.14-contextconf.patch r1.1 Merge the Fedora patch for int->ssize_t. Patch xinetd-2.3.14-ssize_t.patch r1.1 Some modifications to this patch were necessary. Change compiler flags, -Wconversion generates excessive and unnecessary warnings with gcc, particularly all cases of ntohs(uint16_t). http://gcc.gnu.org/bugzilla/show_bug.cgi?id=6614 Additionally add -Wno-unused to prevent unnecessary warnings regarding unused function parameters when the function is a callback conforming to a standard interface. Change version number to 2.3.15devel, indicating an interim developmental source snapshot. Merge patch from Thomas Swan regarding CVE-2012-0862 SHA-256 of xinetd-2.3.15.tar.gz that I just downloaded is bf4e060411c75605e4dcbdf2ac57c6bd9e1904470a2f91e01ba31b50a80a5be3. Unfortunately, there's no signature. While we're at it, if anyone cares about these xinetd builtin services and their issues (and it seems so), I think xinetd 2.3.14+ dropping bad_port_check() is also a vulnerability that distros need to patch. We do: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/xinetd/xinetd-2.3.14-up-revert-bad_port_check.diff?rev=1.1 (haven't updated to 2.3.15 yet, but that patch will stay the same - it merely re-introduces the checks that existed in 2.3.13 and below). Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.