NetBSD-Announce archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2023-007: multiple vulnerabilities in ftpd(8)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
NetBSD Security Advisory 2023-007
=================================
Topic: multiple vulnerabilities in ftpd(8)
Version: NetBSD-current: affected prior to 2023-10-01
NetBSD 10.0_BETA: affected prior to 2023-10-01
NetBSD 9.3: affected
NetBSD 9.2: affected
NetBSD 9.1: affected
NetBSD 9.0: affected
NetBSD 8.2: affected
NetBSD 8.1: affected
NetBSD 8.0: affected
tnftpd: prior to tnftpd-20231001
Severity: Remote unauthenticated attacker may get directory listing, potential
buffer overflows.
Fixed: NetBSD-current: 2023-09-30
NetBSD-10 branch: 2023-10-02
NetBSD-9 branch: 2023-10-02
NetBSD-8 branch: 2023-10-03
tnftpd: tnftpd-20231001
Please note that NetBSD releases prior to 8.2 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
A vulnerability in the NetBSD FTP server allows unauthenticated
users to execute MLST and MLSD commands without authentication.
This can lead to information leakage - unauthorized party may be
able to download the listing of the current ftpd(8) directory. This
vulnerability has been assigned CVE-2023-45198.
Additionally, potential buffer overflow in count_users() and reading
outside of allocated memory issues due to wrong struct type used
in the pam_set_item() call have been identified.
Technical Details
=================
The NetBSD FTP server had a security flaw that allowed unauthenticated
users to execute MLST and MLSD commands without requiring proper
authentication. This could enable unauthorized users to retrieve
directory listings and information about files on the server,
potentially leading to an information leak. It should be noted that
MLST and MLSD commands can be executed by unauthenticated user, it
allows attacker to operate only on the current directory of the
ftpd(8) process.
Another issue is associated with count_users() function which
potentially used uninitialized memory. If the file was previously
empty, pids table used by the daemon is not set, the code however
used pids[0] which is uninitialized in this case. In some scenarios
it may lead to propagate garbage value from pids[0] to the file
and cause writing outside of allocated memory.
Additionally two other weaknesses have been identified. pam_set_item
used with the PAM_SOCKADDR option expects sockaddr_storage structure.
Instead, internal struct sockinet was used. Because it's length is
shorter than sockaddr_storage, libpam was copying also memory
outside of sockinet struct.
Solutions and Workarounds
=========================
As a temporary workaround, ftpd(8) might be disabled.
To apply a fixed version from a releng build, fetch a fitting base.tgz
from nycdn.NetBSD.org and extract the fixed binaries:
cd /var/tmp
ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tgz
tar -C / -xzpf /var/tmp/base.tgz ./usr/libexec/ftpd
with the following replacements:
REL = the release version you are using
BUILD = the source date of the build. %DATE%* and later will fit
ARCH = your system's architecture
The following instructions describe how to upgrade your ftpd(8)
binaries by updating your source tree and rebuilding and installing
a new version of ftpd(8).
* NetBSD-current:
Systems running NetBSD-current dated from before 2023-09-30
should be upgraded to NetBSD-current dated 2023-10-01 or later.
The following files/directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
src/libexec/ftpd
To update from CVS, re-build, and re-install ftpd(8):
# cd src
# cvs update -d -P src/libexec/ftpd
# cd src/libexec/ftpd
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 9.*:
Systems running NetBSD 9.* sources dated from before
2023-10-02 should be upgraded from NetBSD 9.* sources dated
2023-10-03 or later.
The following files/directories need to be updated from the
netbsd-9 branch:
src/libexec/ftpd
To update from CVS, re-build, and re-install ftpd(8):
# cd src
# cvs update -r netbsd-9 -d -P src/libexec/ftpd
# cd src/libexec/ftpd
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 8.*:
Systems running NetBSD 8.* sources dated from before
2023-10-03 should be upgraded from NetBSD 8.* sources dated
2013-10-04 or later.
The following files/directories need to be updated from the
netbsd-8 branch:
src/libexec/ftpd
To update from CVS, re-build, and re-install ftpd(8):
# cd src
# cvs update -r netbsd-8 -d -P src/libexec/ftpd
# cd path/to/files
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* tnftpd (or older installations):
Rebuild tnftpd from sources. The tnftpd-20231001 distribution is at:
https://cdn.netbsd.org/pub/NetBSD/misc/tnftp/tnftpd-20231001.tar.gz
https://cdn.netbsd.org/pub/NetBSD/misc/tnftp/tnftpd-20231001.tar.gz.asc
Thanks To
=========
Mateusz Kocielski (shm@) who analyzed this problem and supplied the fixes.
Luke Mewburn (lukem@) and Taylor R Campbell (riastradh@) for reviewing patches.
Revision History
================
2023-11-16 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2023-007.txt.asc
Information about NetBSD and NetBSD security can be found at
https://www.NetBSD.org/
https://www.NetBSD.org/Security/
Copyright 2023, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
-----BEGIN PGP SIGNATURE-----
iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmVWMZEcHHNlY3VyaXR5
LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/wOlD/9koL3r4jHb8IPrZ+rU
R6f2AfAG2KMx9Yg/H+aMIarEfKLlKKH+wi8Jig78hyfTygbOZ13MFyl7LF2cdvA6
IOPCnuxU9F+5V19o+R6OcQdcUklQMX0zxRWVc0rx6qTGJcW8LkzghbNM6/hwLLqc
iSh0AOxhg8/xoF8HkUYljggJrQLwHReqjkdPFITn26lhKGIwbKEQ6Put46YLob1b
fqZ5A5qdtRsV0PWIMIq+j9PMiAnspXrfYc4wHy2DhiPYY6wm4h3d5HqMN8SCPluI
RjQNcxRgjwyZ8GqQQswEJCkzyya63ecrSj6ZrvGoQAAoRcEXUp9T5zez7UwiCgBm
A6uv/VBgvmglGw+nnQX1JObMFjB80P3Rs0FBBH9IZfKuzSG1Ms+nd79RwWVQ+Y8T
CZwnDAYQiHKeDpDMqTNaUq0ujOrCS2vd5xlrnRJd8wh5/kAOjTGpS0jtH9Ao1fKp
BQbrX+utvJMgCI5ztp0QHLlvPeA55Kr6bxGr7qlhTX654EiAs2KzsAEOX+pUi17P
kLLC71jhNUgCnmJOEOT9V+w2cvpgvC2W10BZDgJgS9kGfcf2j0h/s+gPuICKbUaa
xNjT4kAD7dkvVpzy9waJ7lygpeslsyuU5w6Uxl9N+CCufBktFmDZGVKhlt5LPxVA
twuKtferm7A+RI7ac9ut86F5Hw==
=MshM
-----END PGP SIGNATURE-----
Home |
Main Index |
Thread Index |
Old Index