Bug 64550 (CVE-2004-1182)

Summary: VUL-0: CVE-2004-1182: hylafax: auth bypass
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1182: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: hylafax-auth-bypass.diff
patchinfo.hfax
patchinfo-box.hfax
hylafax.patch.box
hylafax.patch.maintained

Description Thomas Biege 2004-12-31 21:57:06 UTC 
Hi,
we received the following mail. (NOT PUBLIC)

From: Lee Howard <faxguy@howardsilvan.com>
To: vendor-sec@lst.de
Cc: patrice.fournier@ifax.com, darren@ifax.com, aidan@ifax.com,
        tim@multitalents.net
Subject: [vendor-sec] HylaFAX hfaxd unauthorized login vulnerability
Errors-To: vendor-sec-admin@lst.de
Date: Tue, 28 Dec 2004 12:26:30 -0800

Vendors,

We would like to coordinate a security release for HylaFAX.

In the body of this e-mail below I have included the text of our future
announcement which will be made to Bugtraq and to hylafax-announce on
the date of the release.

Our proposed release date is on 11 Jan 2005.  This should give people
time to recover from the holiday and weekend.  Public exposure of the
vulnerability could, although unlikely, surface (most likely on the
hylafax-users or hylafax-devel mailing lists) from outside sources
before the 11th.  If such occurred, then we would re-contact you with
that information and release immediately.

Attached is our patch for the vulnerability.

If you find problems with the patch or have problems with the proposed
release date, then please reply to all addresses on this e-mail.

We will not commit the patch to HylaFAX CVS-HEAD or otherwise publicize
the vulnerability until the release date.  As we were desireous to cut
a 4.2.1 release from HylaFAX CVS-HEAD anyway, we will promptly enter a
release cycle for 4.2.1, involving beta and rc releases.  None of these
will contain the patch.  The patch will be committed to CVS-HEAD only
on the release date immediately prior to the release.

The HylaFAX Bugzilla report for Bug 15610 will not be open to public
access until the release.

Thank you for including HylaFAX in your distributions.

Lee Howard
HylaFAX developer

----------------------------------------
HylaFAX security advisory
11 Jan 2005

Subject:  HylaFAX hfaxd unauthorized login vulnerability

Introduction:

HylaFAX is a mature (est. 1991) enterprise-class open-source software
package for sending and receiving facsimiles as well as for sending
alpha-numeric pages.  It runs on a wide variety of UNIX-like platforms
including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX,
AIX, and HP-UX.  See http://www.hylafax.org


Problem Description and Impact:

HylaFAX hfaxd authenticates users against the hosts.hfaxd database.
The first field of a hosts.hfaxd database entry (the "client") has a
syntax of "^username@hostname$" where "username" is supplied during the
hfaxd protocol exchange, and "hostname" is the official host name or
the dotted IP address.  Regular expressions are used to match
usernames, hostnames, and addresses.  By tradition, if the entry does
not have the "@" in it, then the entry field is understood to be the
full hostname or full dotted IP address - authenticating any user from
the specified host.

The problem is that hfaxd always authenticates against the hosts.hfaxd
entry by comparing the string "username@hostname" with the client
field, irrespective of the formatting of the hosts.hfaxd client field.
If there is a match (regex) between the string and the client field and
no password is required (a subsequent entry field), then the login
succeeds.  Thus, if an attacker can guess hosts.hfaxd entries that do
not contain passwords (and most HylaFAX installations will likely
contain "localhost" and "127.0.0.1"), then hfaxd will authenticate the
attacker's login attempts if the attacker merely uses a username or
configures their hostname to match the hosts.hfaxd entry.  Because
hfaxd did not verify that hostnames outside of the local domain matched
their resolved addresses before trusting them, "localhost" entries are
therefore particularly vulnerable to "DNS spoofing".

All HylaFAX versions as far back as 4.0pl0 (1996) are vulnerable to
unauthorized remote access of HylaFAX services when there are
hosts.hfaxd entries without passwords.  HylaFAX installations are
likely to have hosts.hfaxd entries without passwords, as it is the
default.


Status:

HylaFAX.org has released HylaFAX version 4.2.1 which includes changes
to hfaxd to keep it from erroniously matching usernames against
hostname entries and verifying that hostnames match their resolved
addresses before trusting them.  All HylaFAX users are strongly
encouraged to upgrade.  The HylaFAX 4.2.1 source code is available at

  ftp://ftp.hylafax.org/source/hylafax-4.2.1.tar.gz

In the event that upgrading to 4.2.1 is not appropriate, the patch to
fix HylaFAX hfaxd is available at

  http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=610

In the event that both patching and upgrading are not possible then
firewalling techniques restricting access to port 4559 are strongly
encouraged.  Administrators may also consider adding passwords to all
entries in the hosts.hfaxd database that do not contain them.

Although no abuse of this vulnerability is known to HylaFAX
development, recent postings to the public HylaFAX.org mailing lists
have indicated problems with hosts.hfaxd entries that are associated
with this vulnerability.  As any serious investigation into the nature
of those problems would expose the vulnerability, this prompt response
has been made.


Effect:

Some HylaFAX installations may actually utilize the weak hostname and
username validation for authorized uses, although contrary to
hosts.hfaxd documentation.  For example, hosts.hfaxd entries that may
be common are

  192.168.0
  username:uid:pass:adminpass
  user@host

After updating, these entries will need to be changed in order to
continue to function.  Respectively, the correct entries should be

  192.168.0.[0-9]+
  username@:uid:pass:adminpass
  user@host

Unless such maching of "username" with "otherusername" and "host" with
"hostname" is desired, the proper form of these entries should include
the delimiter and markers like this

  @192.168.0.[0-9]+$
  ^username@:uid:pass:adminpass
  ^user@host$


Thanks:

Many thanks go to Patrice Fournier of iFAX Solutions for discovery of
the vulnerability (24 December) and the controlled reporting of it.
Thanks also go to Aidan Van Dyk of iFAX Solutions, whom I assisted, for
developing the final fix (28 December).


Lee Howard
HylaFAX developer
Comment 1 Thomas Biege 2004-12-31 21:57:07 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Thomas Biege 2004-12-31 22:00:39 UTC 
Created attachment 27335 [details]
hylafax-auth-bypass.diff
Comment 3 Thomas Biege 2004-12-31 22:13:28 UTC 
swamp id 94
Comment 4 Christoph Thiel 2005-01-02 00:41:10 UTC 
... access rights of this bug don't seem to be adequate, as this vulnerability
isn't public, yet.
Comment 5 Andreas Jaeger 2005-01-02 01:16:22 UTC 
Make it internal for now - don't know whether this is the right set of 
rights.
Comment 6 Marcus Meissner 2005-01-02 01:59:05 UTC 
internal is ok. it should not have been created with SUSELinux access.
Comment 7 Thomas Biege 2005-01-02 06:53:07 UTC 
Thanks for fixng the access rights. "SUSELinux" was appropriate in the past too.

CAN-2004-1182
Comment 8 Thomas Biege 2005-01-07 22:17:23 UTC 
Created attachment 27454 [details]
patchinfo.hfax
Comment 9 Thomas Biege 2005-01-07 22:17:44 UTC 
Created attachment 27455 [details]
patchinfo-box.hfax
Comment 10 Thomas Biege 2005-01-07 22:18:46 UTC 
Please verify the patch files before submitting them.
Comment 11 Ludwig Nussel 2005-01-12 17:39:18 UTC 
It's public now. What's the status Karsten?
Comment 12 Karsten Keil 2005-01-12 23:13:20 UTC 
I did wait for the offical release 2.1 (which has the already the fix IMHO) 
which was released yesterday. I'm preparing a new package next week, which is 
some more work, since I want also split hylafax into client/server packages.
Comment 13 Michael Schröder 2005-01-12 23:25:44 UTC 
You know that you can't split a package in an update, don't you? And that
version updates are strongly discouraged for updates?
Comment 14 Ludwig Nussel 2005-01-12 23:48:33 UTC 
Karsten please backport only the security fix for the maintained 
distributions. That work is independent from what you plan to do in STABLE.
Comment 15 Karsten Keil 2005-01-13 01:22:25 UTC 
Ok, misunderstanding: The product of this BUG is 9.3pre, not any released 
products. 
Yes I can backport it to released maintanance products: 
 
SLES9-NLD 
SLES8-SLEC 
SLES8-SSLS 
SLES8-SLSTD 
 
and maybe also make a 9.2 BOX update (aj ?). 
 
Should I also checkin a update for SLES9 to cover possible new SLES9 products, 
or is that done automaticly with the SLES9-NLD checkin ?
Comment 16 Karsten Keil 2005-01-13 05:53:06 UTC 
OK, I mbuild  all updates above and put them into /work/src/done 
 
If I should prepare also updates for older BOX products, this is no problem.
Comment 17 Ludwig Nussel 2005-01-13 17:16:09 UTC 
yes, we need updates for 8.1-9.2. For security bugs the bugzilla product 
setting usually has no meaning.
Comment 18 Karsten Keil 2005-01-14 01:27:18 UTC 
OK, now are packages done/8.1-9.2 and in the sles products
Comment 19 Ludwig Nussel 2005-01-14 22:14:05 UTC 
I suppose the additional constraints that are according to the original report  
placed on entries in the config file after the fix also apply to our packages, 
correct?
Comment 20 Ludwig Nussel 2005-01-14 22:27:15 UTC 
the subpackage capi4hylafax is not affected by this fix, correct?
Comment 21 Ludwig Nussel 2005-01-14 22:33:47 UTC 
Created attachment 27649 [details]
hylafax.patch.box
Comment 22 Ludwig Nussel 2005-01-14 22:34:02 UTC 
Created attachment 27650 [details]
hylafax.patch.maintained
Comment 23 Karsten Keil 2005-01-14 22:54:10 UTC 
#19: no the config files are not touched yet 
#20: yes capi4hylafax is not affected
Comment 24 Ludwig Nussel 2005-01-14 23:13:04 UTC 
so are the additional notes I added to the patchinfos required or not?
Comment 25 Karsten Keil 2005-01-14 23:43:44 UTC 
They are required, since this is not documented elsewhere.
Comment 27 Marcus Meissner 2005-01-28 23:56:07 UTC 
updates released.
Comment 28 Thomas Biege 2009-10-13 20:09:47 UTC 
CVE-2004-1182: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)