CVE-2012-0862: enables unintentional services over tcpmux port

Bug #1016505 reported by Dimitri John Ledkov
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xinetd (Debian)
Fix Released
Unknown
xinetd (Fedora)
Fix Released
Low
xinetd (Ubuntu)
Fix Released
Low
Unassigned
Hardy
Won't Fix
Low
Unassigned
Lucid
Won't Fix
Low
Unassigned
Natty
Won't Fix
Low
Unassigned
Oneiric
Won't Fix
Low
Unassigned
Precise
Won't Fix
Low
Unassigned
Quantal
Fix Released
Low
Unassigned

Bug Description

Imported from Debian bug http://bugs.debian.org/672381:

Package: xinetd
Severity: grave
Tags: security

Please see https://bugzilla.redhat.com/show_bug.cgi?id=790940 for details and
a proposed patch.

Cheers,
        Moritz

Related branches

CVE References

Revision history for this message
In , vdanen (vdanen-redhat-bugs) wrote :

Thomas Swan reported a service disclosure flaw in xinetd. xinetd allows for services to be configured with the TCPMUX or TCPMUXPLUS service types, which makes those services available on port 1, as per RFC 1078 [1], if the tcpmux-server service is enabled. When the tcpmux-server service is enabled, xinetd would expose _all_ enabled services via the tcpmux port, instead of just the configured service(s). This could allow a remote attacker to bypass firewall restrictions and access services via the tcpmux port.

In order for enabled services handled by xinetd to be exposed via the tcpmux port, the tcpmux-server service must be enabled (by default it is disabled).

The tcpmux-server should only ever expose services with the 'type = TCPMUX' or 'type = TCPMUXPLUS' configuration options set.

To reproduce:

- enable tcpmux-server
- restart xinetd
- telnet localhost 1
- type service name of a running service (e.g. cvspserver)

The service will be launched and respond on the port:

# telnet localhost 1
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
cvspserver

cvs [pserver aborted]: bad auth protocol start:

There is no upstream fix for this as of yet.

[1] http://tools.ietf.org/html/rfc1078

Revision history for this message
In , vdanen (vdanen-redhat-bugs) wrote :

Acknowledgements:

Red Hat would like to thank Thomas Swan of FedEx for reporting this issue.

Revision history for this message
In , scorneli (scorneli-redhat-bugs) wrote :

Created attachment 583311
Patch for CVE-2012-0862 as provided by Thomas Swan of FedEx. Reviewed by a former xinetd upstream maintainer and the current Red Hat xinetd maintainer.

Revision history for this message
In , scorneli (scorneli-redhat-bugs) wrote :
Revision history for this message
In , scorneli (scorneli-redhat-bugs) wrote :

Created xinetd tracking bugs for this issue

Affects: fedora-all [bug 820318]

Revision history for this message
In , jsynacek (jsynacek-redhat-bugs) wrote :
Revision history for this message
In , vdanen (vdanen-redhat-bugs) wrote :

This is corrected in upstream 2.3.15.

Revision history for this message
In , updates (updates-redhat-bugs) wrote :

xinetd-2.3.14-47.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
In , updates (updates-redhat-bugs) wrote :

xinetd-2.3.14-37.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.

Changed in xinetd (Ubuntu):
status: New → Confirmed
Changed in xinetd (Ubuntu Quantal):
importance: Undecided → Low
Changed in xinetd (Ubuntu Precise):
importance: Undecided → Low
Changed in xinetd (Ubuntu Lucid):
importance: Undecided → Low
Changed in xinetd (Ubuntu Hardy):
importance: Undecided → Low
Changed in xinetd (Ubuntu Natty):
importance: Undecided → Low
Changed in xinetd (Ubuntu Oneiric):
importance: Undecided → Low
Changed in xinetd (Ubuntu Hardy):
status: New → Confirmed
Changed in xinetd (Ubuntu Lucid):
status: New → Confirmed
Changed in xinetd (Ubuntu Natty):
status: New → Confirmed
Changed in xinetd (Ubuntu Oneiric):
status: New → Confirmed
Changed in xinetd (Ubuntu Precise):
status: New → Confirmed
Changed in xinetd (Debian):
importance: Undecided → Unknown
status: New → Fix Released
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

A branch is fine for Quantal.
For previous releases, security updates are preferred to be sponsored with a debdiff.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xinetd - 1:2.3.14-7.1ubuntu1

---------------
xinetd (1:2.3.14-7.1ubuntu1) quantal; urgency=low

  * Merge from Debian unstable. (LP: #1016505) Remaining changes:
    - Add xinetd upstart job.
    - debian/{control,rules}: Add and enable hardened build for PIE.
    - debian/control: Add Depend on lsb >= 3.2-14, which has the
      status_of_proc() function.
    - debian/xinetd.init: Add the 'status' action.

xinetd (1:2.3.14-7.1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix CVE-2012-0862 avoiding enabling unintentional services
    (Closes: #672381).
 -- Logan Rosen <email address hidden> Fri, 17 Aug 2012 00:41:51 -0400

Changed in xinetd (Ubuntu Quantal):
status: Confirmed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against natty is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in xinetd (Ubuntu Natty):
status: Confirmed → Won't Fix
Revision history for this message
In , errata-xmlrpc (errata-xmlrpc-redhat-bugs) wrote :

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0499 https://rhn.redhat.com/errata/RHSA-2013-0499.html

Revision history for this message
In , jskeoch (jskeoch-redhat-bugs) wrote :

GSS are requesting further information regards the ETA for this update being provided to RHEL 5, can you contact John Jong Bae Ko <email address hidden> and provide additional details.

I am setting need info but please contact John directly as he does not have visibility of this BZ.

John

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. hardy has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against hardy is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in xinetd (Ubuntu Hardy):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in xinetd (Ubuntu Oneiric):
status: Confirmed → Won't Fix
Revision history for this message
In , thomas.swan (thomas.swan-redhat-bugs) wrote :

Created attachment 799731
updated, simpler patch

I believe that child_process not exec_server should be called. This does not affect the existing behaviour of other exec_server calls.

Revision history for this message
In , thomas.swan (thomas.swan-redhat-bugs) wrote :

disregard last update and patch.

Revision history for this message
In , errata-xmlrpc (errata-xmlrpc-redhat-bugs) wrote :

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1302 https://rhn.redhat.com/errata/RHSA-2013-1302.html

Revision history for this message
In , huzaifas (huzaifas-redhat-bugs) wrote :

Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This flaw has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in xinetd (Ubuntu Lucid):
status: Confirmed → Won't Fix
Changed in xinetd (Fedora):
importance: Unknown → Low
status: Unknown → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in xinetd (Ubuntu Precise):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.