Bug 790940 (CVE-2012-0862) - CVE-2012-0862 xinetd: enables unintentional services over tcpmux port
Summary: CVE-2012-0862 xinetd: enables unintentional services over tcpmux port
Status: CLOSED ERRATA
Alias: CVE-2012-0862
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20120509,reported=2...
Keywords: Security
Depends On: 788795 801755 801756 801757 820318 883653 955663
Blocks: 790944 855229 952520
TreeView+ depends on / blocked
 
Reported: 2012-02-15 19:10 UTC by Vincent Danen
Modified: 2019-06-13 07:51 UTC (History)
7 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2013-10-01 04:46:40 UTC


Attachments (Terms of Use)
Patch for CVE-2012-0862 as provided by Thomas Swan of FedEx. Reviewed by a former xinetd upstream maintainer and the current Red Hat xinetd maintainer. (1.52 KB, patch)
2012-05-09 14:27 UTC, Stefan Cornelius
no flags Details | Diff
updated, simpler patch (351 bytes, patch)
2013-09-19 05:08 UTC, thomas.swan
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0499 normal SHIPPED_LIVE Low: xinetd security and bug fix update 2013-02-20 21:18:17 UTC
Red Hat Product Errata RHSA-2013:1302 normal SHIPPED_LIVE Low: xinetd security and bug fix update 2013-10-01 00:31:25 UTC

Description Vincent Danen 2012-02-15 19:10:31 UTC
Thomas Swan reported a service disclosure flaw in xinetd.  xinetd allows for services to be configured with the TCPMUX or TCPMUXPLUS service types, which makes those services available on port 1, as per RFC 1078 [1], if the tcpmux-server service is enabled.  When the tcpmux-server service is enabled, xinetd would expose _all_ enabled services via the tcpmux port, instead of just the configured service(s).  This could allow a remote attacker to bypass firewall restrictions and access services via the tcpmux port.

In order for enabled services handled by xinetd to be exposed via the tcpmux port, the tcpmux-server service must be enabled (by default it is disabled).

The tcpmux-server should only ever expose services with the 'type = TCPMUX' or 'type = TCPMUXPLUS' configuration options set.

To reproduce:

- enable tcpmux-server
- restart xinetd
- telnet localhost 1
- type service name of a running service (e.g. cvspserver)

The service will be launched and respond on the port:

# telnet localhost 1
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
cvspserver

cvs [pserver aborted]: bad auth protocol start: 


There is no upstream fix for this as of yet.

[1] http://tools.ietf.org/html/rfc1078

Comment 1 Vincent Danen 2012-02-16 15:26:49 UTC
Acknowledgements:

Red Hat would like to thank Thomas Swan of FedEx for reporting this issue.

Comment 4 Stefan Cornelius 2012-05-09 14:27:31 UTC
Created attachment 583311 [details]
Patch for CVE-2012-0862 as provided by Thomas Swan of FedEx. Reviewed by a former xinetd upstream maintainer and the current Red Hat xinetd maintainer.

Comment 5 Stefan Cornelius 2012-05-09 15:32:37 UTC
Now public via:
http://www.openwall.com/lists/oss-security/2012/05/09/5

Comment 6 Stefan Cornelius 2012-05-09 15:34:32 UTC
Created xinetd tracking bugs for this issue

Affects: fedora-all [bug 820318]

Comment 7 Jan Synacek 2012-05-17 06:51:46 UTC
Already fixed in f17 and f18 by
http://lists.fedoraproject.org/pipermail/scm-commits/2012-May/781809.html

Comment 8 Vincent Danen 2012-05-23 17:42:50 UTC
This is corrected in upstream 2.3.15.

Comment 9 Fedora Update System 2012-05-29 10:23:38 UTC
xinetd-2.3.14-47.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2012-05-29 10:28:08 UTC
xinetd-2.3.14-37.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 errata-xmlrpc 2013-02-21 07:43:43 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0499 https://rhn.redhat.com/errata/RHSA-2013-0499.html

Comment 14 John Skeoch 2013-03-06 00:24:37 UTC
GSS are requesting further information regards the ETA for this update being provided to RHEL 5, can you contact John Jong Bae Ko <jko@redhat.com> and provide additional details.

I am setting need info but please contact John directly as he does not have visibility of this BZ.

John

Comment 20 thomas.swan 2013-09-19 05:08:35 UTC
Created attachment 799731 [details]
updated, simpler patch

I believe that child_process not exec_server should be called.  This does not affect the existing behaviour of other exec_server calls.

Comment 21 thomas.swan 2013-09-19 05:12:20 UTC
disregard last update and patch.

Comment 23 errata-xmlrpc 2013-09-30 22:04:14 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1302 https://rhn.redhat.com/errata/RHSA-2013-1302.html

Comment 24 Huzaifa S. Sidhpurwala 2013-10-01 04:46:40 UTC
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This flaw has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.


Note You need to log in before you can comment on or make changes to this bug.