[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request -- vsftpd -- Do not create network
From:       Jan Lieskovsky <jlieskov () redhat ! com>
Date:       2011-07-29 9:31:43
Message-ID: 4E327DFF.5060803 () redhat ! com
[Download RAW message or body]


Hello Greg,

   you earlier mentioned this has been already fixed in newer kernels:

> This should already be fixed in the kernel, it looks like it's just
> older kernels that has the issue, if the distro enabled that specific
> option, so there's really nothing that needs to be done here, or a CVE
> assigned that I can tell, right?
>
> thanks,
>
> greg k-h

So the solution you describe above would be just disabling the net_ns
or some other fix? If the latter holds, could you point us to the 
relevant commit?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

On 07/29/2011 10:37 AM, Eugene Teo wrote:
> On 06/07/2011 02:28 AM, Josh Bressers wrote:
>>
>> ----- Original Message -----
>>> Hello, Josh, Steve, vendors,
>>>
>>> It was found that vsftpd, Very Secure FTP daemon, when the network
>>> namespace (CONFIG_NET_NS) support was activated in the kernel, used to
>>> create a new network namespace per connection. A remote attacker could
>>> use this flaw to cause a memory pressure and denial of the vsftpd
>>> service.
>>>
>>> References:
>>> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629373
>>> [2] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/720095
>>> [3] https://bugzilla.redhat.com/show_bug.cgi?id=711134
>>>
>>> This one being a bit tricky one -- from my understanding of the issue,
>>> vsftpd doesn't necessarily have a security flaw on its side. It's
>>> kernel issue / bug, which allows this to be used for vsftpd DoS:
>>> [4]
>>> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/720095/comments/31
>>> [5]
>>> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/720095/comments/32
>>>
>>> Short-term solution would be probably to address this on the vsftpd
>>> side, the long-term one then being to get this fixed in kernel.
>>>
>>> Though not sure, how it would be wrt to CVE identifier(s) assignment.
>>>
>>
>> I'm going to assign CVE-2011-2189 for the kernel. There are numerous
>> vendors shipping this bug.
>>
>> I'll leave it up to MITRE if they think vsftpd should get an ID. I don't
>> think it should myself, but they understand these corner cases better than
>> I.
>
> Kees, how are you guys fixing this? Disable net_ns and fix vsftpd? I
> wonder how other distros approach this. Any suggestions?
>
> Thanks, Eugene

[prev in list] [next in list] [prev in thread] [next in thread]