NetBSD Security Advisory 2008-014: Cross-site request forgery in ftpd(8)

To: security-announce%NetBSD.org@localhost
Subject: NetBSD Security Advisory 2008-014: Cross-site request forgery in ftpd(8)
From: NetBSD Security-Officer <security-officer%netbsd.org@localhost>
Date: Mon, 27 Oct 2008 22:46:37 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                 NetBSD Security Advisory 2008-014
                 =================================

Topic:          Cross-site request forgery in ftpd(8)

Version:        NetBSD-current:         affected
                NetBSD 4.0.*:           not affected
                NetBSD 4.0:             affected
                NetBSD 3.1.*:           affected
                NetBSD 3.1:             affected
                NetBSD 3.0.*:           affected
                NetBSD 3.0:             affected

Severity:       Cross-site request forgery

Fixed:          NetBSD-current:         September 13, 2008
                NetBSD-4-0 branch:      September 18, 2008
                        (4.0.1 includes the fix)
                NetBSD-4 branch:        September 18, 2008
                        (4.1 will include the fix)
                NetBSD-3-1 branch:      September 18, 2008
                        (3.1.2 will include the fix)
                NetBSD-3-0 branch:      September 18, 2008
                        (3.0.4 will include the fix)
                NetBSD-3 branch:        September 18, 2008
                        (3.2 will include the fix)
                pkgsrc:                 tnftpd-20081009 corrects the issue


Abstract
========

When accessing NetBSD servers running ftpd(8) certain commands can aide 
attackers in executing CSRF attacks when e.g. using a web browser to 
access ftp servers.

This vulnerability has been assigned CVE-2008-4247.


Technical Details
=================

When accessing NetBSD servers running ftpd(8) long commands are split
into multiple requests which can result in CSRF attacks.


Solutions and Workarounds
=========================

Only NetBSD systems with ftpd(8) enabled may be vulnerable to this issue.  
ftpd(8) is not enabled by default in NetBSD generic installations.
As a temporary workaround disable ftpd(8) from the base OS and use the
tnftpd-20081009 package from pkgsrc which contains a fix.

The following instructions describe how to upgrade your ftpd
binaries by updating your source tree and rebuilding and installing
a new version of ftpd.

* NetBSD-current:

        Systems running NetBSD-current dated from before 2008-09-13
        should be upgraded to NetBSD-current dated 2008-09-14 or later.

        The following files/directories need to be updated from the
        netbsd-current CVS branch (aka HEAD):
                libexec/ftpd

        To update from CVS, re-build, and re-install ipsec-tools:

                # cd src
                # cvs update -d -P libexec/ftpd
                # cd libexec/ftpd
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install


* NetBSD 4.*:

        Systems running NetBSD 4.* sources dated from before
        2008-09-18 should be upgraded from NetBSD 4.* sources dated
        2008-09-19 or later.

        The following files/directories need to be updated from the
        netbsd-4 or netbsd-4-0 branches:
                libexec/ftpd

        To update from CVS, re-build, and re-install ipsec-tools:

                # cd src
                # cvs update -r <branch_name> -d -P libexec/ftpd
                # cd libexec/ftpd
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install


* NetBSD 3.*:

        Systems running NetBSD 3.* sources dated from before
        2008-09-18 should be upgraded from NetBSD 3.* sources dated
        2008-09-19 or later.

        The following files/directories need to be updated from the
        netbsd-3, netbsd-3-0 or netbsd-3-1 branches:
                libexec/ftpd

        To update from CVS, re-build, and re-install ipsec-tools:

                # cd src
                # cvs update -r <branch_name> -d -P libexec/ftpd
                # cd libexec/ftpd
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install


Thanks To
=========
Maksymilian Arciemowicz is credited with the discovery of this issue.
Luke Mewburn for supplying the fixes and testing.


Revision History
================

        2008-10-27      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2008, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2008-014.txt,v 1.4 2008/10/27 19:47:39 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQCVAwUBSQYcLz5Ru2/4N2IFAQL2bwP+OH9WZ4nyrTK51+t/Xh1zgMi6dS6xu0hx
Cz8EtOKgOp062a0r87ZXk3fKBzKewsc4LHPXwsmL5wRJ6UqoosvZUFEOVXsnxR1I
7i212TLph2WKQ09aeu87Z5u6ABCoIvTqxPUfX8G+v4zg71dlkwr/2hpk6KSl5apc
qw1m1Cy1X7g=
=Motz
-----END PGP SIGNATURE-----

Prev by Date: NetBSD Security Advisory 2008-013: IPv6 Neighbor Discovery Protocol
Next by Date: NetBSD Security Advisory 2008-015: ICMPv6 Packet Too Big messages
Previous by Thread: NetBSD Security Advisory 2008-013: IPv6 Neighbor Discovery Protocol
Next by Thread: NetBSD Security Advisory 2008-015: ICMPv6 Packet Too Big messages
Indexes:

Home | Main Index | Thread Index | Old Index