[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[NetBSD] Schwachstelle im FTP Daemon - NetBSD-SA2008-014



-----BEGIN PGP SIGNED MESSAGE-----

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgende Warnung des NetBSD Security
Officers.Wir geben diese Informationen unveraendert an Sie weiter.

CVE-2008-4247 - Cross-site Request Forgery Schwachstelle in
verschiedenen FTP Servern

  Verschiedene FTP-Server spalten ein (mehr als 512 Zeichen) langes FTP
  Kommando in mehrere Kommandos auf. Dies kann z.B. mittels eines sehr
  langen FTP URLs dazu ausnutzt werden, ueber einem Browser beliebige
  Kommandos an den FTP-Server abzusetzen (Cross-site Request Forgery).

  Betroffen sind u.a. die FTP-Server von FreeBSD, NetBSD und OpenBSD.

Betroffen sind die folgenden Software Pakete und Plattformen:

  Paket tnftpd-20081009

  NetBSD Versionen vor den folgenden Erscheinungsdaten:
  NetBSD-current:		September 13, 2008
  NetBSD-4-0 branch:	September 18, 2008
  NetBSD-4 branch:	September 18, 2008
  NetBSD-3-1 branch:	September 18, 2008
  NetBSD-3-0 branch:	September 18, 2008
  NetBSD-3 branch:	September 18, 2008
  pkgsrc:			tnftpd-20081009

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
		Klaus Moeller, DFN-CERT


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2008-014
		 =================================

Topic:		Cross-site request forgery in ftpd(8)

Version:	NetBSD-current:		affected
		NetBSD 4.0.*:		not affected
		NetBSD 4.0:		affected
		NetBSD 3.1.*:		affected
		NetBSD 3.1:		affected
		NetBSD 3.0.*:		affected
		NetBSD 3.0:		affected

Severity:	Cross-site request forgery

Fixed:		NetBSD-current:		September 13, 2008
		NetBSD-4-0 branch:	September 18, 2008
			(4.0.1 includes the fix)
		NetBSD-4 branch:	September 18, 2008
			(4.1 will include the fix)
		NetBSD-3-1 branch:	September 18, 2008
			(3.1.2 will include the fix)
		NetBSD-3-0 branch:	September 18, 2008
			(3.0.4 will include the fix)
		NetBSD-3 branch:	September 18, 2008
			(3.2 will include the fix)
		pkgsrc:			tnftpd-20081009 corrects the issue


Abstract
========

When accessing NetBSD servers running ftpd(8) certain commands can aide 
attackers in executing CSRF attacks when e.g. using a web browser to 
access ftp servers.

This vulnerability has been assigned CVE-2008-4247.


Technical Details
=================

When accessing NetBSD servers running ftpd(8) long commands are split
into multiple requests which can result in CSRF attacks.


Solutions and Workarounds
=========================

Only NetBSD systems with ftpd(8) enabled may be vulnerable to this issue.  
ftpd(8) is not enabled by default in NetBSD generic installations.
As a temporary workaround disable ftpd(8) from the base OS and use the
tnftpd-20081009 package from pkgsrc which contains a fix.

The following instructions describe how to upgrade your ftpd
binaries by updating your source tree and rebuilding and installing
a new version of ftpd.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2008-09-13
	should be upgraded to NetBSD-current dated 2008-09-14 or later.

	The following files/directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		libexec/ftpd

	To update from CVS, re-build, and re-install ipsec-tools:

		# cd src
		# cvs update -d -P libexec/ftpd
		# cd libexec/ftpd
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 4.*:

	Systems running NetBSD 4.* sources dated from before
	2008-09-18 should be upgraded from NetBSD 4.* sources dated
	2008-09-19 or later.

	The following files/directories need to be updated from the
	netbsd-4 or netbsd-4-0 branches:
		libexec/ftpd

	To update from CVS, re-build, and re-install ipsec-tools:

		# cd src
		# cvs update -r <branch_name> -d -P libexec/ftpd
		# cd libexec/ftpd
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 3.*:

	Systems running NetBSD 3.* sources dated from before
	2008-09-18 should be upgraded from NetBSD 3.* sources dated
	2008-09-19 or later.

	The following files/directories need to be updated from the
	netbsd-3, netbsd-3-0 or netbsd-3-1 branches:
		libexec/ftpd

	To update from CVS, re-build, and re-install ipsec-tools:

		# cd src
		# cvs update -r <branch_name> -d -P libexec/ftpd
		# cd libexec/ftpd
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


Thanks To
=========
Maksymilian Arciemowicz is credited with the discovery of this issue.
Luke Mewburn for supplying the fixes and testing.


Revision History
================

	2008-10-27	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2008, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2008-014.txt,v 1.4 2008/10/27 19:47:39 adrianp Exp $

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQCVAwUBSQYcLz5Ru2/4N2IFAQL2bwP+OH9WZ4nyrTK51+t/Xh1zgMi6dS6xu0hx
Cz8EtOKgOp062a0r87ZXk3fKBzKewsc4LHPXwsmL5wRJ6UqoosvZUFEOVXsnxR1I
7i212TLph2WKQ09aeu87Z5u6ABCoIvTqxPUfX8G+v4zg71dlkwr/2hpk6KSl5apc
qw1m1Cy1X7g=
=Motz
- -----END PGP SIGNATURE-----

- -- 
Dipl. Inform. Klaus Moeller (Incident Response Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstrase 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen   https://www.cert.dfn.de/autowarn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBSQh34khXCWfrVVdXAQH+eQf+LvMkh0m/80CKxykESTs7GZVWHm6wDjZv
CJM+s/Vatr0D/BdVpq+jKRf4kkDmKZXAMzhlWErCLT1IX2J4FbAf4L3fOjYWddmz
CAyQ+uyXMeT+xIeQZBvZCRCyLpSnyjQYyIbrgKT0iK2Mw7gYyib/qkq2PAZGm9s+
Ll5FnrBFK5jVLTsUZGiDZWbfJJa/vrUms+cIBsuZliZxnDly0PPFIW1fCM6r0Sgv
kX7Z2t6TrdSN27gFOj+aH1iyxA9nJisVIThfRaE63IuSI+OqUmY4GH8DeUm0Yryb
ZBF3CBfyQZyQExXrvs839UmoUhwoDYCD6F9fyOGwiRwo6SVpuDq2PQ==
=UbBM
-----END PGP SIGNATURE-----