Bug 461750 (CVE-2008-4677)
| Summary: | CVE-2008-4677 vim: netrw plugin: FTP username and password disclosure | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | karsten |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-01-08 11:12:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Link to thread discussing this vulnerability: http://groups.google.com/group/vim_dev/browse_thread/thread/2f6fad581a037971/a5fcf4c4981d34e6?show_docid=a5fcf4c4981d34e6# Proposed partial fix: http://mysite.verizon.net/astronaut/vim/index.html#NETRW This issue did not affect the versions of vim as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. All stable Fedora versions were updated to vim upstream version 7.2.060, which contains netrw plugin version that prompts for new password when connecting to new FTP site. Update requests: https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10587 https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10644 |
Description of problem (pasted from original rdancer.org vim vulnerability description -- see references): The Vim Netrw Plugin shares the FTP user name and password across all FTP sessions. Every time Vim makes a new FTP connection, it sends the user name and password of the previous FTP session to the FTP server. Once vim successfully connects to an FTP server using a user name and password credentials, it will re-use them in all subsequent FTP sessions, regardless of the domain name or TCP port. This behaviour is documented, although the documentation states the credentials are ``retained on a per-session basis''. Apparently the Vim session, not the FTP session: ``g:netrw_uid (ftp) user-id, retained on a per-session basis s:netrw_passwd (ftp) password, retained on a per-session basis'' -- Netrw Reference Manual (``pi_netrw.txt'') Although FTP communication is not encrypted and therefore open to eavesdropping, if the access to the network is protected, a credentials-based access control is meaningful, and the credentials must be kept secret. Version-Release number of selected component (if applicable): 7.1.266, 7.2 and earlier versions of Vim How reproducible: Always Steps to Reproduce: 1. See "4. EXPLOIT" from the rdancer vim vulnerability report [1] Actual results: Credentials disclosure. Expected results: Credentials are kept secret. References (rdancer.org vim original vulnerability report): [1] http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html