Bug#427825: pptpd 1.3.0 vulnerable to denial of service attack
Everything seems fine for me so far. Although, my set up has changed slightly so I hope that I have not tainted my environment. Moritz Muehlenhoff wrote: On Wed, Aug 22, 2007 at 11:00:34PM +0200, Moritz Muehlenhoff wrote: On Tue, Jul 31, 2007 at 08:01:45PM +0100, Rene Mayrhofer wrote: On Dienstag 24 April 2007, Moritz Muehlenhoff wrote: James Cameron wrote: On Sun, Apr 22, 2007 at 10:40:18PM +0200, Moritz Muehlenhoff wrote: Do you have an isolated patch for this issue? I'll prepare a DSA. Here is one for 1.3.0. Thanks, I'll prepare a DSA. It seems there is a severe problem with this patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=427825 A new security release will be necessary, I think. An updated package is available at http://people.debian.org/~jmm/pptp/ I don't use MPPE; I need positive testing feedback, before I release this. CCing bugreporters. *Poke*. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#427825: pptpd 1.3.0 vulnerable to denial of service attack
Thanks, I'm trying out the patched version right now. -Original Message- From: Moritz Muehlenhoff [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 22, 2007 2:01 PM To: Rene Mayrhofer Cc: James Cameron; [EMAIL PROTECTED]; [EMAIL PROTECTED]; Josh Guilfoyle; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: pptpd 1.3.0 vulnerable to denial of service attack On Tue, Jul 31, 2007 at 08:01:45PM +0100, Rene Mayrhofer wrote: On Dienstag 24 April 2007, Moritz Muehlenhoff wrote: James Cameron wrote: On Sun, Apr 22, 2007 at 10:40:18PM +0200, Moritz Muehlenhoff wrote: Do you have an isolated patch for this issue? I'll prepare a DSA. Here is one for 1.3.0. Thanks, I'll prepare a DSA. It seems there is a severe problem with this patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=427825 A new security release will be necessary, I think. An updated package is available at http://people.debian.org/~jmm/pptp/ I don't use MPPE; I need positive testing feedback, before I release this. CCing bugreporters. Cheers, Moritz
Bug#427825: pptpd security patch for 1.3.0-2etch1 disrupts tunnel
Package: pptpd Version: 1.3.0-2etch1 After upgrading to pptpd 1.3.0-2etch1, I noticed a problem after several minutes of VPN activity. Upon further investigation, the log file pointed to an area of code recently patched to address the denial of service vulnerability as discussed in CVE-2007-0244. The log output is as follows: Jun 4 19:30:18 apollo pptpd[8422]: GRE: accepting packet #17 Jun 4 19:30:18 apollo pptpd[8422]: GRE: buffering packet #16 (expecting #18, lost or reordered) Jun 4 19:30:18 apollo pptpd[8422]: GRE: accepting packet #18 Jun 4 19:30:18 apollo pptpd[8422]: GRE: accepting packet #19 Jun 4 19:30:18 apollo pptpd[8422]: GRE: timeout waiting for -4 packets Jun 4 19:30:18 apollo pptpd[8422]: GRE: accepting #16 from queue Jun 4 19:30:18 apollo pptpd[8422]: GRE: accepting packet #20 Jun 4 19:30:18 apollo pppd[8423]: rcvd [proto=0x9841] 87 0b 72 c9 be ab c3 09 a7 c0 4e 0f 14 a7 42 e4 70 e7 db 8f f2 08 ef 08 95 42 6c 2e 1e 04 80 d8 ... Jun 4 19:30:18 apollo pppd[8423]: Unsupported protocol 0x9841 received Jun 4 19:30:18 apollo pppd[8423]: sent [LCP ProtRej id=0x2 98 41 87 0b 72 c9 be ab c3 09 a7 c0 4e 0f 14 a7 42 e4 70 e7 db 8f f2 08 ef 08 95 42 6c 2e 1e 04 ...] Jun 4 19:30:18 apollo pppd[8423]: rcvd [proto=0x87] a1 5e 9f 56 27 d8 42 28 d1 f9 c5 33 25 61 8b 0a b3 8e ab 55 dd a6 24 5f 59 6c b9 85 1c 60 65 30 ... Jun 4 19:30:18 apollo pppd[8423]: Unsupported protocol 0x87 received Jun 4 19:30:18 apollo pppd[8423]: sent [LCP ProtRej id=0x3 00 87 a1 5e 9f 56 27 d8 42 28 d1 f9 c5 33 25 61 8b 0a b3 8e ab 55 dd a6 24 5f 59 6c b9 85 1c 60 ...] Jun 4 19:30:18 apollo pptpd[8422]: GRE: accepting packet #21 [ and so forth, until the connection terminates ] It would seem that this is caused by sending the parser out-of-order GRE packets, but it is not clear to me based on the source of the patch. I repeated this problem multiple times, finally fixing it by downgrading to 1.3.0-2 (which does not contain the GRE re-ordering patch). It would seem that the first few log lines about reordering occur normally with this downgraded version, but they do not cause the seemingly out-of-sync stream of messages that follow. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
