Re: about vulnerabilities without advisories: how to keep informed

To: tech-security%netbsd.org@localhost
Subject: Re: about vulnerabilities without advisories: how to keep informed
From: "S.P.Zeidler" <spz%serpens.de@localhost>
Date: Sat, 23 Apr 2011 16:13:48 +0000 (UTC)

Hi,

semarie-netbsd%latrappe.fr@localhost (Frère Sébastien Marie) writes:

>I have noted that severals vulnerabilities are corrected in NetBSD release 
>branchs but without any advisories.

>http://www.netbsd.org/support/security/ mention advisories for "serious 
>security problems", but how keep informed about others security problems ?

Since noone else is picking this up ..

Issues where root would need to run a problematic binary usually fall
below the 'needs an advisory' threshold, as do problems that need a rather
unusual configuration to bite. Another threshold is vulnerabilities
in HEAD only: these get fixed, but no advisory.

>Here a list from NetBSD-5-0 branch (taken from src/doc/CHANGES-5.0.3), in 
>order to flag the problem.

>Please notie that all of these are currently without advisories, so are not 
>"serious security problems" (or perhaps advisory process is engaged... but all 
>are more 12 day old)

>* CVE-2011-0997 [spz, ticket #1595], Thu Apr 7 17:25:47 2011 UTC
>  dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 
> 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute 
> arbitrary commands via shell metacharacters in a hostname obtained from a 
> DHCP message.
>  CVSS v2 Base Score:7.5 (HIGH) [from nvd.nist.gov]  

This should get an advisory yet.

>* CVE-2011-0465 [mrg, ticket #1594], Thu Apr 7 06:56:25 2011 UTC
>  xrdb.c in xrdb before 1.0.9 in X.Org X11R7.6 and earlier allows remote 
> attackers to execute arbitrary commands via shell metacharacters in a 
> hostname obtained from a (1) DHCP or (2) XDMCP message
>  CVSS v2 Base Score:9.3 (HIGH) [from nvd.nist.gov]

This requires the hostname to be something nasty. With the "nasty hostname
via dhcp" hole plugged, this changes into the class "root attacking their
users".

>* unassigned-CVE [christos, ticket #1593], Tue Apr 5 06:23:12 2011 UTC
>  "Protect against stack smashes."
>  so should be have security consideration, according to the description, and 
> to the fact changes are pull-up in release branch

Christos will have to comment on that.

>* unassigned-CVE [spz, ticket #1586], Tue Mar 29 20:13:51 2011 UTC
>  "Clean up setting ECN bit in TOS.  Fixes PR 44742"
>  PR/44742: "Remotely triggerable ECN panic in tcp_output()"
>  so is a remote-dos (under particular circonstances ?)

The feature is off by default in NetBSD-5, and a bit convoluted to enable.

>* CVE-2011-0411 [tron, ticket #1578], Thu Mar 24 20:11:25 2011 UTC
>  The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 
> 2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly restrict 
> I/O buffering, which allows man-in-the-middle attackers to insert commands 
> into encrypted SMTP sessions by sending a cleartext command that is processed 
> after TLS is in place, related to a "plaintext command injection" attack.
>  CVSS v2 Base Score:6.8 (MEDIUM) [from nvd.nist.gov]

>(not exhaustive list: see 
>http://cvsweb.netbsd.org/bsdweb.cgi/src/doc/Attic/CHANGES-5.0.3 )

The impact of the vulnerability is too low given that the default config
is less secure than TLS with the vulnerability.

>There also security issue known and corrected in current, but not pulled in 
>release branch:

>* CVE-2011-996 [roy 20110406], Wed Apr 6 09:11:08 2011 UTC
>  import dhcpcd-5.2.12
>  dhcpcd before 5.2.12 allows remote attackers to execute arbitrary commands 
> via shell metacharacters in a hostname obtained from a DHCP message
>  CVSS v2 Base Score:6.8 (MEDIUM) [from nvd.nist.gov]

That's not a vulnerability in dhcpcd, but in scripts that may use the
hostname naively, and basically the same issue as with CVE-2011-997, only
that with dhclient the first script that sees the naughty hostname is part
of dhclient itself. I'm preparing a pullup for netbsd-5 but am not done
yet.

>In conclusion, how to keep informed of current issues of the base system ?
>I think something like audit-packages (for pkgsrc), or a website like 
>security-tracker.debian.org (for debian) ?

I doubt that adding even more work for the few people who look after
security issues will speed anything up.

>Currently, I follow any changes in src/doc/CHANGES-xxx , but as flagged with 
>dhcpcd, known issues still exist in release branch. I hope pullup process is 
>engaged, but how to check this ?

http://releng.netbsd.org/

regards,
        spz
-- 
spz%serpens.de@localhost (S.P.Zeidler)

References:
- about vulnerabilities without advisories: how to keep informed
  - From: Frère Sébastien Marie

Prev by Date: about vulnerabilities without advisories: how to keep informed
Next by Date: NetBSD Security Advisory 2011-005: ISC dhclient hostname field shell metacharacter injection
Previous by Thread: about vulnerabilities without advisories: how to keep informed
Next by Thread: NetBSD Security Advisory 2011-005: ISC dhclient hostname field shell metacharacter injection
Indexes:

Home | Main Index | Thread Index | Old Index