CVE-2012-0862: enables unintentional services over tcpmux port
Bug #1016505 reported by
Dimitri John Ledkov
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
xinetd (Debian) |
Fix Released
|
Unknown
|
|||
xinetd (Fedora) |
Fix Released
|
Low
|
|||
xinetd (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Hardy |
Won't Fix
|
Low
|
Unassigned | ||
Lucid |
Won't Fix
|
Low
|
Unassigned | ||
Natty |
Won't Fix
|
Low
|
Unassigned | ||
Oneiric |
Won't Fix
|
Low
|
Unassigned | ||
Precise |
Won't Fix
|
Low
|
Unassigned | ||
Quantal |
Fix Released
|
Low
|
Unassigned |
Bug Description
Imported from Debian bug http://
Package: xinetd
Severity: grave
Tags: security
Please see https:/
a proposed patch.
Cheers,
Moritz
Related branches
lp:~logan/ubuntu/quantal/xinetd/debian-merge
- Ubuntu branches: Pending requested
-
Diff: 3054 lines (+1241/-630)6 files modifiedconfig.guess (+703/-494)
config.sub (+462/-132)
debian/changelog (+19/-0)
debian/patches/0006-Disable-services-from-inetd.conf-if-a-service-with-t.patch (+4/-4)
debian/patches/0008-CVE-2012-0862.patch (+49/-0)
xinetd/inet.c (+4/-0)
CVE References
Changed in xinetd (Ubuntu): | |
status: | New → Confirmed |
Changed in xinetd (Ubuntu Quantal): | |
importance: | Undecided → Low |
Changed in xinetd (Ubuntu Precise): | |
importance: | Undecided → Low |
Changed in xinetd (Ubuntu Lucid): | |
importance: | Undecided → Low |
Changed in xinetd (Ubuntu Hardy): | |
importance: | Undecided → Low |
Changed in xinetd (Ubuntu Natty): | |
importance: | Undecided → Low |
Changed in xinetd (Ubuntu Oneiric): | |
importance: | Undecided → Low |
Changed in xinetd (Ubuntu Hardy): | |
status: | New → Confirmed |
Changed in xinetd (Ubuntu Lucid): | |
status: | New → Confirmed |
Changed in xinetd (Ubuntu Natty): | |
status: | New → Confirmed |
Changed in xinetd (Ubuntu Oneiric): | |
status: | New → Confirmed |
Changed in xinetd (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in xinetd (Debian): | |
importance: | Undecided → Unknown |
status: | New → Fix Released |
Changed in xinetd (Fedora): | |
importance: | Unknown → Low |
status: | Unknown → Fix Released |
To post a comment you must log in.
Thomas Swan reported a service disclosure flaw in xinetd. xinetd allows for services to be configured with the TCPMUX or TCPMUXPLUS service types, which makes those services available on port 1, as per RFC 1078 [1], if the tcpmux-server service is enabled. When the tcpmux-server service is enabled, xinetd would expose _all_ enabled services via the tcpmux port, instead of just the configured service(s). This could allow a remote attacker to bypass firewall restrictions and access services via the tcpmux port.
In order for enabled services handled by xinetd to be exposed via the tcpmux port, the tcpmux-server service must be enabled (by default it is disabled).
The tcpmux-server should only ever expose services with the 'type = TCPMUX' or 'type = TCPMUXPLUS' configuration options set.
To reproduce:
- enable tcpmux-server
- restart xinetd
- telnet localhost 1
- type service name of a running service (e.g. cvspserver)
The service will be launched and respond on the port:
# telnet localhost 1 localdomain (127.0.0.1).
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
cvspserver
cvs [pserver aborted]: bad auth protocol start:
There is no upstream fix for this as of yet.
[1] http:// tools.ietf. org/html/ rfc1078