Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request -- vsftpd -- Do not create network namespace per connection
From: Chris Evans <scarybeasts () gmail com>
Date: Mon, 6 Jun 2011 10:14:13 -0700

On Mon, Jun 6, 2011 at 9:19 AM, Jan Lieskovsky <jlieskov () redhat com> wrote:

Hello, Josh, Steve, vendors,

 It was found that vsftpd, Very Secure FTP daemon, when the network
namespace (CONFIG_NET_NS) support was activated in the kernel, used to
create a new network namespace per connection. A remote attacker could
use this flaw to cause a memory pressure and denial of the vsftpd
service.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629373
[2] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/720095
[3] https://bugzilla.redhat.com/show_bug.cgi?id=711134

This one being a bit tricky one -- from my understanding of the issue,
vsftpd doesn't necessarily have a security flaw on its side. It's
kernel issue / bug, which allows this to be used for vsftpd DoS:


Yes, I will be considering this a kernel issue.
vsftpd also uses one (or more!) process per connection. I'd have though that
a process structure plus stack etc. would be a lot more heavyweight than an
empty network namespace, but obviously not :)

[4] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/720095/comments/31
[5]
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/720095/comments/32

Short-term solution would be probably to address this on the vsftpd
side, the long-term one then being to get this fixed in kernel.


It's actually configurable in vsftpd.conf:
isolate_network=NO

So for a short term fix, all you need is to deploy that config change.
Looking at the Changelog, network isolation was added in vsftpd-2.2.0, and
the config setting has been there from v2.2.0 as well.


Cheers
Chris


Though not sure, how it would be wrt to CVE identifier(s) assignment.

Steve, could you advice here?

Thank you & Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]