Bugzilla – Bug 64550
VUL-0: CVE-2004-1182: hylafax: auth bypass
Last modified: 2021-09-27 08:47:25 UTC
Hi, we received the following mail. (NOT PUBLIC) From: Lee Howard <faxguy@howardsilvan.com> To: vendor-sec@lst.de Cc: patrice.fournier@ifax.com, darren@ifax.com, aidan@ifax.com, tim@multitalents.net Subject: [vendor-sec] HylaFAX hfaxd unauthorized login vulnerability Errors-To: vendor-sec-admin@lst.de Date: Tue, 28 Dec 2004 12:26:30 -0800 Vendors, We would like to coordinate a security release for HylaFAX. In the body of this e-mail below I have included the text of our future announcement which will be made to Bugtraq and to hylafax-announce on the date of the release. Our proposed release date is on 11 Jan 2005. This should give people time to recover from the holiday and weekend. Public exposure of the vulnerability could, although unlikely, surface (most likely on the hylafax-users or hylafax-devel mailing lists) from outside sources before the 11th. If such occurred, then we would re-contact you with that information and release immediately. Attached is our patch for the vulnerability. If you find problems with the patch or have problems with the proposed release date, then please reply to all addresses on this e-mail. We will not commit the patch to HylaFAX CVS-HEAD or otherwise publicize the vulnerability until the release date. As we were desireous to cut a 4.2.1 release from HylaFAX CVS-HEAD anyway, we will promptly enter a release cycle for 4.2.1, involving beta and rc releases. None of these will contain the patch. The patch will be committed to CVS-HEAD only on the release date immediately prior to the release. The HylaFAX Bugzilla report for Bug 15610 will not be open to public access until the release. Thank you for including HylaFAX in your distributions. Lee Howard HylaFAX developer ---------------------------------------- HylaFAX security advisory 11 Jan 2005 Subject: HylaFAX hfaxd unauthorized login vulnerability Introduction: HylaFAX is a mature (est. 1991) enterprise-class open-source software package for sending and receiving facsimiles as well as for sending alpha-numeric pages. It runs on a wide variety of UNIX-like platforms including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX, AIX, and HP-UX. See http://www.hylafax.org Problem Description and Impact: HylaFAX hfaxd authenticates users against the hosts.hfaxd database. The first field of a hosts.hfaxd database entry (the "client") has a syntax of "^username@hostname$" where "username" is supplied during the hfaxd protocol exchange, and "hostname" is the official host name or the dotted IP address. Regular expressions are used to match usernames, hostnames, and addresses. By tradition, if the entry does not have the "@" in it, then the entry field is understood to be the full hostname or full dotted IP address - authenticating any user from the specified host. The problem is that hfaxd always authenticates against the hosts.hfaxd entry by comparing the string "username@hostname" with the client field, irrespective of the formatting of the hosts.hfaxd client field. If there is a match (regex) between the string and the client field and no password is required (a subsequent entry field), then the login succeeds. Thus, if an attacker can guess hosts.hfaxd entries that do not contain passwords (and most HylaFAX installations will likely contain "localhost" and "127.0.0.1"), then hfaxd will authenticate the attacker's login attempts if the attacker merely uses a username or configures their hostname to match the hosts.hfaxd entry. Because hfaxd did not verify that hostnames outside of the local domain matched their resolved addresses before trusting them, "localhost" entries are therefore particularly vulnerable to "DNS spoofing". All HylaFAX versions as far back as 4.0pl0 (1996) are vulnerable to unauthorized remote access of HylaFAX services when there are hosts.hfaxd entries without passwords. HylaFAX installations are likely to have hosts.hfaxd entries without passwords, as it is the default. Status: HylaFAX.org has released HylaFAX version 4.2.1 which includes changes to hfaxd to keep it from erroniously matching usernames against hostname entries and verifying that hostnames match their resolved addresses before trusting them. All HylaFAX users are strongly encouraged to upgrade. The HylaFAX 4.2.1 source code is available at ftp://ftp.hylafax.org/source/hylafax-4.2.1.tar.gz In the event that upgrading to 4.2.1 is not appropriate, the patch to fix HylaFAX hfaxd is available at http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=610 In the event that both patching and upgrading are not possible then firewalling techniques restricting access to port 4559 are strongly encouraged. Administrators may also consider adding passwords to all entries in the hosts.hfaxd database that do not contain them. Although no abuse of this vulnerability is known to HylaFAX development, recent postings to the public HylaFAX.org mailing lists have indicated problems with hosts.hfaxd entries that are associated with this vulnerability. As any serious investigation into the nature of those problems would expose the vulnerability, this prompt response has been made. Effect: Some HylaFAX installations may actually utilize the weak hostname and username validation for authorized uses, although contrary to hosts.hfaxd documentation. For example, hosts.hfaxd entries that may be common are 192.168.0 username:uid:pass:adminpass user@host After updating, these entries will need to be changed in order to continue to function. Respectively, the correct entries should be 192.168.0.[0-9]+ username@:uid:pass:adminpass user@host Unless such maching of "username" with "otherusername" and "host" with "hostname" is desired, the proper form of these entries should include the delimiter and markers like this @192.168.0.[0-9]+$ ^username@:uid:pass:adminpass ^user@host$ Thanks: Many thanks go to Patrice Fournier of iFAX Solutions for discovery of the vulnerability (24 December) and the controlled reporting of it. Thanks also go to Aidan Van Dyk of iFAX Solutions, whom I assisted, for developing the final fix (28 December). Lee Howard HylaFAX developer
<!-- SBZ_reproduce --> -
Created attachment 27335 [details] hylafax-auth-bypass.diff
swamp id 94
... access rights of this bug don't seem to be adequate, as this vulnerability isn't public, yet.
Make it internal for now - don't know whether this is the right set of rights.
internal is ok. it should not have been created with SUSELinux access.
Thanks for fixng the access rights. "SUSELinux" was appropriate in the past too. CAN-2004-1182
Created attachment 27454 [details] patchinfo.hfax
Created attachment 27455 [details] patchinfo-box.hfax
Please verify the patch files before submitting them.
It's public now. What's the status Karsten?
I did wait for the offical release 2.1 (which has the already the fix IMHO) which was released yesterday. I'm preparing a new package next week, which is some more work, since I want also split hylafax into client/server packages.
You know that you can't split a package in an update, don't you? And that version updates are strongly discouraged for updates?
Karsten please backport only the security fix for the maintained distributions. That work is independent from what you plan to do in STABLE.
Ok, misunderstanding: The product of this BUG is 9.3pre, not any released products. Yes I can backport it to released maintanance products: SLES9-NLD SLES8-SLEC SLES8-SSLS SLES8-SLSTD and maybe also make a 9.2 BOX update (aj ?). Should I also checkin a update for SLES9 to cover possible new SLES9 products, or is that done automaticly with the SLES9-NLD checkin ?
OK, I mbuild all updates above and put them into /work/src/done If I should prepare also updates for older BOX products, this is no problem.
yes, we need updates for 8.1-9.2. For security bugs the bugzilla product setting usually has no meaning.
OK, now are packages done/8.1-9.2 and in the sles products
I suppose the additional constraints that are according to the original report placed on entries in the config file after the fix also apply to our packages, correct?
the subpackage capi4hylafax is not affected by this fix, correct?
Created attachment 27649 [details] hylafax.patch.box
Created attachment 27650 [details] hylafax.patch.maintained
#19: no the config files are not touched yet #20: yes capi4hylafax is not affected
so are the additional notes I added to the patchinfos required or not?
They are required, since this is not documented elsewhere.
http://w2d.suse.de/abuildstat/patchinfo/pending/afab9863f2e2029aadbf6bf833f50446
updates released.
CVE-2004-1182: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)