On Thu, Jun 07, 2018 at 11:34:15PM +0200, Ondrej Zajicek wrote:
> On Thu, Jun 07, 2018 at 10:48:10PM +0200, Moritz Muehlenhoff wrote:
> > > Hi
> > >
> > > It is an security bugfix, but perhaps not so critical, it can be
> > > exploited in very specific circumstances and probably only as a DoS,
> > > not as a privilege escalation.
> >
> > I'm not familiar with bird, so we could use help insight to assess the
> > scope of the issue:
> >
> > Could you please elaborate what these circumstances are? Like, who's
> > able to trigger a crash, does it affect only specific setups/conditions?
>
> The crash could be triggered from bird CLI tool (birdc), which is usually
> accessible only to administrator. But the birdc has 'restricted' mode
> (when called with -r option) when the CLI is restricted to 'safe'
> commands, just for inspecting BIRD state, but the crash could be
> triggered even in the restricted mode. But even the restricted mode is
> accessible only to administrator.
Thanks a lot for the clarification. I was worried this could be triggerable
via BGP traffic, but that seems in fact fairly harmless.
> But if administrator would allow nonprivileged users to run birdc in
> restricted mode (say using 'sudo' rules) assuming than it is safe, then
> such assumption is broken by the bug.
True that, but sudo logging would also pinpoint the rogue user :-)
Cheers,
Moritz
