Your message dated Tue, 11 Jan 2005 22:52:18 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#289903: hylafax-server: CAN-2004-1182
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 11 Jan 2005 18:22:53 +0000
>From [EMAIL PROTECTED] Tue Jan 11 10:22:53 2005
Return-path: <[EMAIL PROTECTED]>
Received: from enchanter.real-time.com [208.20.202.11]
([RIRZLd209feqYWRzTO5HZLsI6c8vijgZ])
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CoQfN-0004gV-00; Tue, 11 Jan 2005 10:22:53 -0800
Received: from mail.castle.real-time.com (gatekeeper.real-time.com
[65.193.16.100])
by enchanter.real-time.com (8.12.10/8.12.10) with ESMTP id
j0BIMpi0028496
(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
Tue, 11 Jan 2005 12:22:51 -0600
Received: from monk.castle.real-time.com ([192.168.252.27])
by mail.castle.real-time.com with smtp (Exim 4.24 #3 (Red Hat Linux))
id 1CoQfK-0003f3-Pz; Tue, 11 Jan 2005 12:22:50 -0600
Received: (nullmailer pid 10842 invoked by uid 1000);
Tue, 11 Jan 2005 18:23:00 -0000
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Nate Carlson <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: hylafax-server: CAN-2004-1182
X-Mailer: reportbug 3.2
Date: Tue, 11 Jan 2005 12:23:00 -0600
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Score: -4.4 (----) (-44)
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: hylafax-server
Version: 1:4.2.0-9
Severity: important
Problem Description and Impact:
HylaFAX hfaxd authenticates users against the hosts.hfaxd database.
The first field of a hosts.hfaxd database entry (the "client") has a
syntax of "[EMAIL PROTECTED]" where "username" is supplied during the
hfaxd protocol exchange, and "hostname" is the official host name or
the dotted IP address. Regular expressions are used to match
usernames, hostnames, and addresses. By tradition, if the entry does
not have the "@" in it, then the entry field is understood to be the
full hostname or full dotted IP address - authenticating any user from
the specified host.
The problem is that hfaxd always authenticates against the hosts.hfaxd
entry by comparing the string "[EMAIL PROTECTED]" with the client
field, irrespective of the formatting of the hosts.hfaxd client field.
If there is a match (regex) between the string and the client field and
no password is required (a subsequent entry field), then the login
succeeds. Thus, if an attacker can guess hosts.hfaxd entries that do
not contain passwords (and most HylaFAX installations will likely
contain "localhost" and "127.0.0.1"), then hfaxd will authenticate the
attacker's login attempts if the attacker merely uses a username or
configures their hostname to match the hosts.hfaxd entry. Because
hfaxd did not verify that hostnames outside of the local domain matched
their resolved addresses before trusting them, "localhost" entries are
therefore particularly vulnerable to "DNS spoofing".
All HylaFAX versions as far back as 4.0pl0 (1996) are vulnerable to
unauthorized remote access of HylaFAX services when there are
hosts.hfaxd entries without passwords. HylaFAX installations are
likely to have hosts.hfaxd entries without passwords, as it is the
default.
This vulnerability has been assigned CAN-2004-1182.
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.7-1-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages hylafax-server depends on:
ii debconf 1.4.30.11 Debian configuration management sy
ii gs 8.01-5 Transitional package
ii gs-gpl [gs] 8.01-5 The GPL Ghostscript PostScript int
di hylafax-client 1:4.2.0-9 Flexible client/server fax softwar
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libgcc1 1:3.4.3-6 GCC support library
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libstdc++5 1:3.3.5-5 The GNU Standard C++ Library v3
hi libtiff-tools 3.6.1-3 TIFF manipulation and conversion t
hi libtiff4 3.6.1-3 Tag Image File Format library
ii mailx 1:8.1.2-0.20040524cvs-4 A simple mail user agent
ii mime-codecs 7.19-2 Fast Quoted-Printable and BASE64 M
ii psmisc 21.5-1 Utilities that use the proc filesy
ii zlib1g 1:1.2.2-3 compression library - runtime
-- debconf information:
* hylafax-server/configure_note:
hylafax-server/start_now: true
---------------------------------------
Received: (at 289903-done) by bugs.debian.org; 11 Jan 2005 21:54:09 +0000
>From [EMAIL PROTECTED] Tue Jan 11 13:54:09 2005
Return-path: <[EMAIL PROTECTED]>
Received: from vsmtp3alice.tin.it (vsmtp3.tin.it) [212.216.176.143]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CoTxp-0008A5-00; Tue, 11 Jan 2005 13:54:09 -0800
Received: from eppesuigoccas.homedns.org (80.117.81.158) by vsmtp3.tin.it
(7.0.027) (authenticated as [EMAIL PROTECTED])
id 41E408B9000238A2; Tue, 11 Jan 2005 22:53:31 +0100
Received: from eppesuig3wifi ([192.168.2.51] ident=giuseppe)
by eppesuigoccas.homedns.org with asmtp (Exim 3.35 #1 (Debian))
id 1CoTxA-0007Wo-00; Tue, 11 Jan 2005 22:53:28 +0100
Subject: Re: Bug#289903: hylafax-server: CAN-2004-1182
From: Giuseppe Sacco <[EMAIL PROTECTED]>
To: Nate Carlson <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Content-Type: text/plain
Organization: Giuseppe Sacco Consulting
Date: Tue, 11 Jan 2005 22:52:18 +0100
Message-Id: <[EMAIL PROTECTED]>
Mime-Version: 1.0
X-Mailer: Evolution 2.0.3
Content-Transfer-Encoding: 7bit
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Il giorno mar, 11-01-2005 alle 12:23 -0600, Nate Carlson ha scritto:
> Package: hylafax-server
> Version: 1:4.2.0-9
> Severity: important
>
[...]
> All HylaFAX versions as far back as 4.0pl0 (1996) are vulnerable to
> unauthorized remote access of HylaFAX services when there are
> hosts.hfaxd entries without passwords. HylaFAX installations are
> likely to have hosts.hfaxd entries without passwords, as it is the
> default.
>
> This vulnerability has been assigned CAN-2004-1182.
Thanks for the report, this bug has been fixed in 4.2.1-1 uploaded early
today.
Bye,
Giuseppe
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
