CVE-2007-4321 remote log injection

Debian Bug report logs - #438187
CVE-2007-4321 remote log injection

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: CVE-2007-4321 remote log injection

Date: Thu, 16 Aug 2007 03:08:00 +0200

[Message part 1 (text/plain, inline)]

Package: fail2ban
Version: 0.7.5-2
Severity: grave
Tags: security

Hi,
CVE-2007-4321[0]:

fail2ban 0.8 and earlier does not properly parse sshd log 
files, which allows remote attackers to add arbitrary hosts 
to the /etc/hosts.deny file and cause a denial of service by 
adding arbitrary IP addresses to the sshd log file, as 
demonstrated by logging in via ssh with a client protocol 
version identification containing an IP address string, a 
different vector than CVE-2006-6302.

If you fix this issue, please include the CVE id in the 
changelog entry.

You can find a patch for this problem on:
http://www.ossec.net/en/attacking-loganalysis.html#patches

Kind regards
Nico
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4321

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 438187@bugs.debian.org (full text, mbox, reply):

From: Yaroslav Halchenko <debian@onerussian.com>

To: Nico Golde <nion@debian.org>, 438187@bugs.debian.org

Subject: Re: Bug#438187: CVE-2007-4321 remote log injection

Date: Wed, 15 Aug 2007 21:45:00 -0400

> CVE-2007-4321[0]:
this issue is partially resolved with the fresh upload of 0.8.1.
I said partially due to the facts I will describe in the follow-up
email.
N.B. Partial fix presented in 0.8.1 defeats the examples described in
CVE, so please come up with another example which would prove that
remote! injection is possible. Thanks in advance

-- 
Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student  Ph.D. @ CS Dept. NJIT
Office: (973) 353-5440x263 | FWD: 82823 | Fax: (973) 353-1171
        101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW:     http://www.linkedin.com/in/yarik        

Message #15 received at 438187@bugs.debian.org (full text, mbox, reply):

From: Yaroslav Halchenko <debian@onerussian.com>

To: Nico Golde <nion@debian.org>, 438187@bugs.debian.org

Cc: control@bugs.debian.org

Subject: [debian@onerussian.com: Re: CVE-2007-4321: DoS vulnerability in fail2ban]

Date: Wed, 15 Aug 2007 21:53:19 -0400

priority 438187 normal
thanks

With such follow-up I would like to lower priority to Normal so 0.8.1
gets sucked into testing, so the issue is at least partially resolved
there. I want to leave the bug open as the reminder that more work is
needed.

Also, etch's version remains prone to this issue as well as others
reported. The problem is that patch-picking between 0.7.5-2 (in etch)
and 0.8.1 would not result in a proper fix anyways. I will upload 0.8.1
to backports as soon as it reaches testing. That should resolve major
concern.

I would appreciate other examples of injection (remote) than the one
given in CVE


----- Forwarded message from Yaroslav Halchenko <debian@onerussian.com> -----

Date: Wed, 15 Aug 2007 15:57:49 -0400
From: Yaroslav Halchenko <debian@onerussian.com>
To: Stefan Fritsch <sf@debian.org>
Cc: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Subject: Re: CVE-2007-4321: DoS vulnerability in fail2ban

Hi Stefan,

> Can you please check whether this is actually fixed and tell me the 
> result. If you upload a fix, please mention the CVE id in the 
> changelog.

It is partially fixed in 0.8-4. Just partially because

* yet not all filters have anchored by the end of line failregexes. ssh
  filter should be quite safe (unless **), some other filters (e.g.
  apache-auth) might be prone to the injection.

** since we only anchored failregex at the end, if there is any other
daemon which logs some information with user provided data at the end of
the string without any quotation -- we are in problem. For instance this
can be easily done with sudo by any local user:

sudo echo ROOT LOGIN REFUSED hi FROM 1.5.6.7

results in the log line in auth.log
Aug 15 15:52:24 dimholt sudo:      cat : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/home/cat ; USER=root ; COMMAND=/bin/echo ROOT LOGIN
REFUSED hi FROM 1.5.6.7
which will trigger fail2ban's action.

There might be some other services which log in the same 'unsafe' way,
and which I simply don't know.

To fix ** it is needed to provide failregex which covers entire log line
(or to say -- line with date/time part stripped) with sensible anchors
at the beginning of the line as well as at the end (as it is as of now).
And we are looking into implementing it in the foreseen future, right
Cyril? :-)

-- 
Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student  Ph.D. @ CS Dept. NJIT
Office: (973) 353-5440x263 | FWD: 82823 | Fax: (973) 353-1171
        101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW:     http://www.linkedin.com/in/yarik        

----- End forwarded message -----

-- 
Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student  Ph.D. @ CS Dept. NJIT
Office: (973) 353-5440x263 | FWD: 82823 | Fax: (973) 353-1171
        101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW:     http://www.linkedin.com/in/yarik        

Message #22 received at 438187@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nico@ngolde.de>

To: 438187@bugs.debian.org

Subject: Re: [debian@onerussian.com: Re: CVE-2007-4321: DoS vulnerability in fail2ban]

Date: Thu, 16 Aug 2007 03:58:29 +0200

[Message part 1 (text/plain, inline)]

Hi,
* Yaroslav Halchenko <debian@onerussian.com> [2007-08-16 03:53]:
> priority 438187 normal

it needs to be severity :)

[...] 
> Also, etch's version remains prone to this issue as well as others
> reported. The problem is that patch-picking between 0.7.5-2 (in etch)
> and 0.8.1 would not result in a proper fix anyways.

Why not?

[...] 
> I would appreciate other examples of injection (remote) than the one
> given in CVE

I am not here to piss you off and report vulns where none is 
there. If you think you fixed it, fine, just include the CVE 
id in your changelog and everyone knows ;-P
Cheers
Nico
-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #27 received at 438187@bugs.debian.org (full text, mbox, reply):

From: Yaroslav Halchenko <debian@onerussian.com>

To: Nico Golde <nion@debian.org>, 438187@bugs.debian.org

Subject: Re: Bug#438187: CVE-2007-4321 remote log injection

Date: Wed, 15 Aug 2007 21:59:39 -0400

0.8.1 was just uploaded.

N.B.
actually 0.8.0-4 present in lenny/sid was fixed as far as CVE goes -- I
didn't wait for upstream release to fix the issue before too much noise
comes ;-)

   * Adjusted failregex for sshd filter:
     - anchored properly at the end of line, and source code has .examples
       files to perform testing of the rules.
     - added new explicit rule for users not in the AllowUsers lists

-- 
Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student  Ph.D. @ CS Dept. NJIT
Office: (973) 353-5440x263 | FWD: 82823 | Fax: (973) 353-1171
        101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW:     http://www.linkedin.com/in/yarik        

Message #32 received at 438187@bugs.debian.org (full text, mbox, reply):

From: Yaroslav Halchenko <debian@onerussian.com>

To: Nico Golde <nico@ngolde.de>, 438187@bugs.debian.org

Subject: Re: Bug#438187: [debian@onerussian.com: Re: CVE-2007-4321: DoS vulnerability in fail2ban]

Date: Wed, 15 Aug 2007 22:42:07 -0400

> > priority 438187 normal
> it needs to be severity :)
doh me... actually since 0.8.0-4 is good enough and is in lenny (and
just got uploaded to etch-backports), I can leave the bug very severe

> > Also, etch's version remains prone to this issue as well as others
> > reported. The problem is that patch-picking between 0.7.5-2 (in etch)
> > and 0.8.1 would not result in a proper fix anyways.
> Why not?

well -- pretty much any of the following changes could be considered
security/DoS hazard in some use case:

- Use numeric output for iptables in "actioncheck" (easy to perform DoS)
- Fixed removal of host in hosts.deny. Thanks to René Berber (no
  comment is needed)
- Call Python interpreter directly (instead of using "env") (weakly but
  could be considered security related)
- Fixed asctime pattern in datedetector.py (fixes #421848)
- Some minor fixes in failregexes which has happened since 0.7.5

and what holds me away from simply bringing all those mods into older
0.7.5 is that

1. current fixed/improved regexps are split across multiple
lines and 0.7.5 is not supporting that so I need to add a feature or
reshave all the regexps.... actually I can just hand tune them to fix
the issue in question (I guess) but there it might be also exploitable
since no extended testing on those can be done now.

2. there was an issue with hanging of fail2ban. unfortunately solution
is too intrusive and it is not security issue per se so I will leave
that one alone..


So after all this I can say that you pursuaded me to have another look
 and may prep upload to etch fixing exiting issues...

> [...] 
> > I would appreciate other examples of injection (remote) than the one
> > given in CVE

> I am not here to piss you off and report vulns where none is 
> there. If you think you fixed it, fine, just include the CVE 
> id in your changelog and everyone knows ;-P
yeah - I should have retrospectively mentioned in changelog for 0.8.1-1
that CVE was partially resolved in 0.8.0-4... too late now. I will
mentioned it whenever fail2ban get proper fix

An believe me -- no pissing off of any kind has happened -- it is
just my bad English. I had been trying to describe that the funny part
is that I rushed with 0.8.1 to run ahead of all such bug reports and I
forgotten to upload the final package.  in any case, as I said, 0.8.0-4 is
good enough for lenny/sid. I will have a look at etch

> Cheers
> Nico
-- 
Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student  Ph.D. @ CS Dept. NJIT
Office: (973) 353-5440x263 | FWD: 82823 | Fax: (973) 353-1171
        101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW:     http://www.linkedin.com/in/yarik        

Message #37 received at 438187-submitter@bugs.debian.org (full text, mbox, reply):

From: Yaroslav Halchenko <debian@onerussian.com>

To: 421848-submitter@bugs.debian.org, 439962-submitter@bugs.debian.org, 434368-submitter@bugs.debian.org, 438187-submitter@bugs.debian.org

Subject: tentative security update to etch of fail2ban

Date: Wed, 7 Nov 2007 01:41:05 -0500

[Message part 1 (text/plain, inline)]

Hi,

I am emailing you since you are among the ones who raised the concern
about issues in fail2ban 0.7.5-2 which is currently in etch.
Although I suggested to use backported version from lenny (present in
backports.org) it is critical to patch most obvious issues in etch
version as well. I prepared an upload for the security team to digest,
but before that, I would love to hear your feedback -- may be you could
give it a spin on your etch box and see if it behaves appropriately and
resolves the issues in question.

Preliminary build is available from
http://itanix.rutgers.edu/rumba/dists/etch/perspect/binary-all/net/fail2ban_0.7.5-2etch4~pre4_all.deb
and sources from
http://itanix.rutgers.edu/rumba/dists/etch/perspect/source/net/fail2ban_0.7.5-2etch4~pre4.dsc

Thank you in advance
-- 
Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student  Ph.D. @ CS Dept. NJIT
Office: (973) 353-5440x263 | FWD: 82823 | Fax: (973) 353-1171
        101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW:     http://www.linkedin.com/in/yarik        

[Message part 2 (application/pgp-signature, inline)]

Message #42 received at 438187-done@bugs.debian.org (full text, mbox, reply):

From: Yaroslav Halchenko <debian@onerussian.com>

To: 438187-done@bugs.debian.org

Subject: given issue was resolved in the recent security upload

Date: Tue, 5 Feb 2008 12:00:00 -0500

I thought closes wasn't needed in that changelog entry but apparently
since it was found in etch's version, bug remained opened. Here is
relevant changelog entry for this bug:


fail2ban (0.7.5-2etch4) stable-security; urgency=high

  * Propagated fix for asctime pattern from 0.7.8 release (closes: #421848)
  * Propagated fix for not closed log files from 0.7.8-1
    (closes: #439962,434368)
  * Propagated fix for "reload" bug which is as sever as #439962 and just
    never was hit by any Debian user yet
  * Added patch 00_numeric_iptables-L to avoid possible DoS attacks
    (introduced upstream in 0.7.6)
  * Propagated "Fixed removal of host in hosts.deny" from 0.7.6, to prevent
    possible DoS
  * CVE-2007-4321: anchored sshd and vsftpd failregex at the end of line
    to prevent DoS on those services. This issue was resolved in sid's version
    0.8.0-4 (bugreport 438187).

 -- Yaroslav Halchenko <debian@onerussian.com>  Tue, 01 May 2007 22:18:03 -0400



-- 
Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student  Ph.D. @ CS Dept. NJIT
Office: (973) 353-5440x263 | FWD: 82823 | Fax: (973) 353-1171
        101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW:     http://www.linkedin.com/in/yarik        

Send a report that this bug log contains spam.