git /cgit/ DDOS attack, rsync security

Mon, 20 Jan 2025 14:54:43 -0800 

Savannah Users,

GIT's CGIT
==========

Since Friday our site has been under the strain of a massive botnet
DDOS attack against our git /cgit/ web UI interface and the svn
/viewvc/ web UI interface.  These might be independent.  The CGIT
attack is the larger of the two.  It's the largest botnet I have seen
thrown against us so far.

Initially on Friday it took our entire site down for all HTTP based
transactions.  That is certainly NOT GOOD.  In order to cope with the
onslaught I had to disable /cgit/ so that other parts of the site
could be operational.  Sorry for the inconvenience.  I don't want to
give them clues but the /gitweb/ web browsing UI has not been targeted
and it is still online and operational.

Additionally we were also dealing with the rsync issues and were
limited in being able to do everything we wanted to do all at once.
Work is proceeding and hopefully there will be a positive report to be
made on this at some point soon.

rsync
=====

As many of you know there were several rsync security vulnerabilities
disclosed this past week.  These were high profile vulnerabilities
because taken together they enable a RCE Remote Code Execution attack.
This threw the Internet's security teams into a frenzy.

    https://kb.cert.org/vuls/id/952657

One advantage of our unique configuration is that to the best of our
knowledge we believe we were never vulnerable to the RCE attack,
though we were partially vulnerable to CVE-2024-12085, as the "nobody"
user if it were exploited.

    CVE-2024-12085 When Rsync compares file checksums, a vulnerability
    in the Rsync daemon can be triggered. An attacker could manipulate
    the checksum length (s2length) to force a comparison between the
    checksum and uninitialized memory and leak one byte of
    uninitialized stack data at a time.

So far we have seen no evidence of any exploitation of our servers.
But attacks these days are never just a single exploit.  Attacks keep
getting stronger.  Multiple exploits are chained together.  This
vulnerability, if exploited, would have been only one link in a longer
chain of several exploits.

Out of an abundance of caution we are taking various actions to
mitigate these security threats.

Bob
  • ... Bob Proulx
    • ... Carlo Wood via Discussion of savannah-announce and any user-oriented topic
      • ... Bob Proulx
        • ... Carlo Wood via Discussion of savannah-announce and any user-oriented topic
          • ... Bob Proulx
            • ... Bob Proulx
    • ... Ariel Machado
      • ... Bob Proulx
        • ... David Pirotte
          • ... Bob Proulx

Reply via email to