|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2002-1215: heartbeat: remote root exploit in heartbeat | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Olaf Kirch <okir> |
| Component: | Incidents | Assignee: | Olaf Kirch <okir> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Critical | ||
| Priority: | P3 - Medium | CC: | lmb, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | CVE-2002-1215: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) | ||
| Found By: | Other | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
This is Lars' baby, and he will provide the update packages :) I have incorporated a slightly more elaborate fix for this issue from Alan; he now drops privileges for the processes communicating with the network. The packages are building right now and after testing I'll submit them. Packages build, tested and checked in + putonftp files exist. Time of release to be coordinated by security-team, thus assigning the bug to Olaf now ;-) Security advisory being released for 8.0/8.1. Fix committed to UL prior to RC2. CVE-2002-1215 CVE-2002-1215: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) |
Several format string bugs in heartbeat were reported to us during the weekend. Most of them cannot be exploited except when running heartbeat in debug mode. However, there is one such bug that can be exploited by _anyone_ as long as he can send a packet to the heartbeat daemon. Exploiting this bug will give remote attackers root privilege on the victim host. I believe (and lmb as well as heartbeat's developer, Alan Robertson) agree that we should at least fix the latter bug in UnitedLinux. The fix is a one-liner. I have already built binary RPMs with this one-line fix and given them to Alan Robertson for testing. He ran a stress-test with 1000 fail-overs on the fixed package. The one-line patch looks like this: if ((namelen = strcspn(nvline, EQUAL)) <= 0 || nvline[namelen] != '=') { ha_log(LOG_WARNING, "ha_msg_add_nv: line doesn't contain '='"); - ha_log(LOG_INFO, nvline); + ha_log(LOG_INFO, "%s", nvline); return(HA_FAIL); } Which I hope is trivial enough to accept the fix at this stage. The remaining format string bugs will be fixed via a securiy update we will publish soon.