Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 11 Mar 2016 11:49:48 -0500 (EST)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: ProFTPD before 1.3.5b/1.3.6rc2 uses 1024 bit Diffie Hellman parameters for TLS even if user sets manual parameters

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> The ProFTPD daemon supports TLS encrypted connections via the mod_tls
> module. This module has a configuration option
> TLSDHParamFile
> to specify user-defined Diffie Hellman parameters.
> 
> Versions older than 1.3.5b / 1.3.6rc2 had a bug that would cause the
> software to ignore the parameters and use Diffie Hellman key exchanges
> with 1024 bit:
> http://bugs.proftpd.org/show_bug.cgi?id=4230
> 
> As 1024 bit DH is considered dangerously small these days and breakable
> by a powerful attacker I think this should be considered a security
> vulnerability.

> https://github.com/proftpd/proftpd/pull/226

>> This logic should hopefully address the bug, where the principle of
>> least surprise was violated because a DH (4096 bits), larger than the
>> configured server cert (of 2048 bits), was not selected.

Use CVE-2016-3125. This CVE is for the "principle of least surprise"
violation in which the administrator configured a security-relevant
setting to one value, but the product's behavior used a potentially
worse value. This CVE is not specifically about whether 1024 is
"dangerous" or about whether 1024 should be configurable at all.


> The release notes[1] are confusing, as they mention only problems with
> keys smaller than 2048 bit, but I was also able to reproduce this issue
> with 4096 bit keys.
> [1] http://proftpd.org/docs/RELEASE_NOTES-1.3.5b

We are not sure why this would be confusing.

"SSH RSA hostkeys smaller than 2048 bits now work properly" in those
release notes corresponds to an entirely different issue, described
at:

  http://bugs.proftpd.org/show_bug.cgi?id=4097
  https://forums.proftpd.org/smf/index.php/topic,11579.0.html

This 2048-bit issue does not have a CVE ID. Very roughly, the 2048-bit
issue seems to be about "it is possible for the administrator to
configure the product so that it is easier for a client to cause a DoS
to that client's own session."

The CVE-2016-3125 issue corresponds only to the third 1.3.5b item,
i.e., "Fixed selection of DH groups from TLSDHParamFile."

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW4vYgAAoJEL54rhJi8gl5IIQP/2ccSsJoIyFt59U4UhjPrko6
V+9Lr8l67O0Dx46ByJmeK3eUalk2R80QWT92O3b2aGPyjE/uqllrFFxRrPmj9ReX
rhd8RDjEq7hW90ODCAeLfsct7a25/Sb8DSFFrb0Qy1DvrFSloCLAaG3cV6ud1sFr
3mF2xMxlprCRijlQk40Je74BHuCptgwdo9rx4SbTx5oZAvaD1svCqKQ6D6sZv05E
EVCWdFO24e2vdulagtRPtv57gLWKMdgbV5lrmXTrudUNhmoiyN5bfSRQgOizu0g7
B+1U3s5gjNNbChEO0HRZs90QZKUZcBsRhiijT6J8289LqAOYFNXjrjdciia1fD6p
WNARS69UWDSGkJV8PL/ZNDt21mnnwoqgwvWAx39abFaKgomjhdjoiQHWO0AibAKl
6v/CCnSGPf84VWV/dEK3r2H8Zu3/C4AoSPJPKT48dCGIj70uVsxOv26ueOsGazBj
nC9hHcDv39s6YXfTFsW3eAdM9eHjpxHVr8RSdTwqOWNdVAh3wHO7H/NHxjgMn2Sd
bKGU1FTvQ/InTn8AzXZlzCkS0l3qQBZMPRPSOVJLgw+GsO/5qKvgfzXbE3cHIgN+
YJDQAkklpvjcK2vg2NE9BH4a70q9oGMyGEo7SSIOAuWtFRIRn0m1+pfZ73/hXYE4
lJDpyWFeYDFTV0CnDDqh
=ErAX
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.