35586 – (CVE-2002-1215) VUL-0: CVE-2002-1215: heartbeat: remote root exploit in heartbeat

Bug 35586 (CVE-2002-1215) - VUL-0: CVE-2002-1215: heartbeat: remote root exploit in heartbeat

Summary: VUL-0: CVE-2002-1215: heartbeat: remote root exploit in heartbeat

Status:	RESOLVED FIXED

Alias:	CVE-2002-1215

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	i386 Linux

Priority:	P3 - Medium Severity: Critical
Target Milestone:	---
Assignee:	Olaf Kirch
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2002-1215: CVSS v2 Base Score: 10...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2002-10-07 16:12 UTC by Olaf Kirch
Modified:	2021-09-26 10:31 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Olaf Kirch 2002-10-07 16:12:46 UTC

Several format string bugs in heartbeat were reported to us during the weekend.
Most of them cannot be exploited except when running heartbeat in debug mode.
However, there is one such bug that can be exploited by _anyone_ as long as
he can send a packet to the heartbeat daemon. Exploiting this bug will give
remote attackers root privilege on the victim host.

I believe (and lmb as well as heartbeat's developer, Alan Robertson) agree that
we should at least fix the latter bug in UnitedLinux. The fix is a one-liner.
I have already built binary RPMs with this one-line fix and given them to
Alan Robertson for testing. He ran a stress-test with 1000 fail-overs on the
fixed package.

The one-line patch looks like this:

        if ((namelen = strcspn(nvline, EQUAL)) <= 0
        ||      nvline[namelen] != '=') {
                ha_log(LOG_WARNING, "ha_msg_add_nv: line doesn't contain '='");
-               ha_log(LOG_INFO, nvline);
+               ha_log(LOG_INFO, "%s", nvline);
                return(HA_FAIL);
        }

Which I hope is trivial enough to accept the fix at this stage.

The remaining format string bugs will be fixed via a securiy update we will
publish soon.

Comment 1 Olaf Kirch 2002-10-09 17:22:29 UTC

This is Lars' baby, and he will provide the update packages :)

Comment 2 Lars Marowsky-Bree 2002-10-09 20:20:36 UTC

I have incorporated a slightly more elaborate fix for this issue from Alan; he
now drops privileges for the processes communicating with the network. The
packages are building right now and after testing I'll submit them.

Comment 3 Lars Marowsky-Bree 2002-10-10 18:19:09 UTC

Packages build, tested and checked in + putonftp files exist. Time of release to
be coordinated by security-team, thus assigning the bug to Olaf now ;-)

Comment 4 Olaf Kirch 2002-10-14 22:00:52 UTC

Security advisory being released for 8.0/8.1.
Fix committed to UL prior to RC2.

Comment 5 Marcus Meissner 2007-03-24 15:49:38 UTC

CVE-2002-1215

Comment 6 Thomas Biege 2009-10-13 19:33:03 UTC

CVE-2002-1215: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)