oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2012-0862 assignment notification: xinetd enables unintentional services over tcpmux port

From: Solar Designer <solar () openwall com>
Date: Thu, 10 May 2012 11:08:52 +0400
On Wed, May 09, 2012 at 05:31:25PM +0200, Stefan Cornelius wrote:

Thomas Swan of FedEx reported a service disclosure flaw in xinetd.
xinetd allows for services to be configured with the TCPMUX or
TCPMUXPLUS service types, which makes those services available on port
1, as per RFC 1078 [1], if the tcpmux-server service is enabled.  When
the tcpmux-server service is enabled, xinetd would expose _all_ enabled
services via the tcpmux port, instead of just the configured service(s).
This could allow a remote attacker to bypass firewall restrictions and
access services via the tcpmux port.

In order for enabled services handled by xinetd to be exposed via the
tcpmux port, the tcpmux-server service must be enabled (by default it is
disabled).

This has been assigned CVE-2012-0862.


This is now reported fixed in xinetd 2.3.15.  From xinetd-2.3.15/CHANGELOG:

2.3.15
        If the address we're binding to is a multicast address, do the
                multicast join.
        Merge the Fedora patch to turn off libwrap processing on tcp
                rpc services. Patch xinetd-2.3.12-tcp_rpc.patch.
        Merge the Fedora patch to add labeled networking.
                Patch xinetd-2.3.14-label.patch r1.4.
        Merge the Fedora patch to fix getpeercon() for labeled networking
                in MLS environments.
                Patch xinetd-2.3.14-contextconf.patch r1.1
        Merge the Fedora patch for int->ssize_t.
                Patch xinetd-2.3.14-ssize_t.patch r1.1
                Some modifications to this patch were necessary.
        Change compiler flags, -Wconversion generates excessive and
                unnecessary warnings with gcc, particularly all
                cases of ntohs(uint16_t).
                http://gcc.gnu.org/bugzilla/show_bug.cgi?id=6614
                Additionally add -Wno-unused to prevent unnecessary
                warnings regarding unused function parameters when
                the function is a callback conforming to a standard
                interface.
        Change version number to 2.3.15devel, indicating an interim
                developmental source snapshot.
        Merge patch from Thomas Swan regarding CVE-2012-0862

SHA-256 of xinetd-2.3.15.tar.gz that I just downloaded is
bf4e060411c75605e4dcbdf2ac57c6bd9e1904470a2f91e01ba31b50a80a5be3.
Unfortunately, there's no signature.

While we're at it, if anyone cares about these xinetd builtin services
and their issues (and it seems so), I think xinetd 2.3.14+ dropping
bad_port_check() is also a vulnerability that distros need to patch.
We do:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/xinetd/xinetd-2.3.14-up-revert-bad_port_check.diff?rev=1.1

(haven't updated to 2.3.15 yet, but that patch will stay the same - it
merely re-introduces the checks that existed in 2.3.13 and below).

Alexander
Previous By Date Next
Previous By Thread Next

Current thread: