Bug 686590 - (CVE-2011-1575) VUL-0: CVE-2011-1575: new pure-ftpd version fix STARTTLS issues similar to CVE-2011-0411
(CVE-2011-1575)
VUL-0: CVE-2011-1575: new pure-ftpd version fix STARTTLS issues similar to CV...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Peter Simons
E-mail List
maint:released:11.2:40150 maint:relea...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-04-11 12:15 UTC by Sebastian Krahmer
Modified: 2019-07-03 11:32 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2011-04-11 12:15:26 UTC
From the pure-ftpd site:

Fix a STARTTLS flaw similar to Postfix’s CVE-2011-0411. If you’re using TLS, upgrading is recommended.

So we need to have another update round.
Comment 1 Michal Vyskocil 2011-04-11 12:41:31 UTC
Upstream [1] points to the patch [2]

[1] http://archives.pureftpd.org/archives.cgi?100:mss:3910:201103:cpeojfkblajnpinkeadd
[2] https://github.com/jedisct1/pure-ftpd/commit/65c4d4ad331e94661de763e9b5304d28698999c4

It's trivial, so I'm working on it atm.
Comment 2 Swamp Workflow Management 2011-04-11 12:59:20 UTC
The SWAMPID for this issue is 40116.
This issue was rated as moderate.
Please submit fixed packages until 2011-04-25.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 3 Michal Vyskocil 2011-04-11 13:14:45 UTC
sle-10-sp3: 11483, sle-11-sp1: 11481

11.2: 66838, 11.3: 66835, 11.4: 66836, factory: updated to .30
Comment 4 Sebastian Krahmer 2011-04-11 13:21:10 UTC
I will ask on oss-sec whether this deserves a own CVE.
Comment 6 Sebastian Krahmer 2011-04-12 06:45:05 UTC
CVE-2011-1575
Comment 7 Marcus Meissner 2011-05-07 09:42:42 UTC
reproducer:

1. set up TLS for pure-ftpd

    check that it works by

    telnet ftphost 21
    user ftp
    starttls
    (should not report code 500)

2. testcase
   (echo USER ftp ; echo STARTTLS ;echo QUIT; cat ) | netcat grape.suse.de 21

   should NOT quit the connection.
Comment 8 Marcus Meissner 2011-05-07 10:08:41 UTC
for 1: ... /usr/share/doc/packages/pure-ftpd/README.TLS has

openssl req -x509 -nodes -newkey rsa:1024 -keyout \
  /etc/ssl/private/pure-ftpd.pem \
  -out /etc/ssl/private/pure-ftpd.pem

as self signed key generation command.

The config  file  /etc/pure-ftpd/pure-ftpd.conf needs TLS 1.


Test with:
telnet ftpserver 21
auth tls

which should give:
231 AUTH OK.
(then you need to kill telnet as it wants SSL traffic)



for 2:

(echo "auth tls" ; echo "quit" ; cat ) | netcat ftpserverhost 21
should not QUIT the ftp connection.


I was however not able to get this to work for the affected case.
Comment 9 Swamp Workflow Management 2011-05-12 14:25:54 UTC
Update released for: pure-ftpd, pure-ftpd-debuginfo, pure-ftpd-debugsource
Products:
openSUSE 11.2 (debug, i586, x86_64)
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)
Comment 10 Swamp Workflow Management 2011-05-25 16:23:00 UTC
Update released for: pure-ftpd, pure-ftpd-debuginfo
Products:
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 11 Swamp Workflow Management 2011-05-25 16:32:42 UTC
Update released for: pure-ftpd, pure-ftpd-debuginfo
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 12 Swamp Workflow Management 2011-05-25 16:45:38 UTC
Update released for: pure-ftpd, pure-ftpd-debuginfo, pure-ftpd-debugsource
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 13 Marcus Meissner 2011-05-31 12:59:03 UTC
all released
Comment 14 Andrej Skorupa 2018-11-19 14:03:54 UTC
Can this bug be reopened pls?

Customer with SLES11 SP4 for SAP reports that vulnerability still exists,
check via splunk tool:

STARTTLS\r\nRSET\r\n

response:

220 Ok
250 Ok

Thank you.
Comment 15 Andrej Skorupa 2018-11-19 14:05:05 UTC
postfix               SUSE Linux Enterprise 11         2.9.4-0.28.2
postfix-2.9.4-0.28.2  Thu Sep  1    20:11:17 2016

pure-ftpd             SUSE Linux Enterprise 11         1.0.43-29.1
pure-ftpd-1.0.43-29.1 Tue Oct 23    11:59:35 2018
Comment 16 Marcus Meissner 2018-11-19 14:31:27 UTC
reopen for review
Comment 17 Marcus Meissner 2018-11-28 10:19:48 UTC
did they test pure-ftpd or postfix?
Comment 18 Marcus Meissner 2018-11-28 17:15:14 UTC
the current pure-ftpd has at least the patch we applied included.

RSET seems a mail command. If I ran it against a postfix on SLE11:

(echo STARTTLS ; echo RSET ; cat ) | netcat mailserver 25
220 newverein.lst.de ESMTP Postfix
220 2.0.0 Ready to start TLS
... hangs

So the 2 220 codes are coming from SMTP, the initial reply and the STARTTLS reply.
But the RSET is not cuaisng a reply, indiciating that SSL is already activated.


So it would be good to know what port exactly the customer tested.
Comment 19 Andrej Skorupa 2018-12-11 09:01:39 UTC
(In reply to Marcus Meissner from comment #18)
> the current pure-ftpd has at least the patch we applied included.
> 
> RSET seems a mail command. If I ran it against a postfix on SLE11:
> 
> (echo STARTTLS ; echo RSET ; cat ) | netcat mailserver 25
> 220 newverein.lst.de ESMTP Postfix
> 220 2.0.0 Ready to start TLS
> ... hangs
> 
> So the 2 220 codes are coming from SMTP, the initial reply and the STARTTLS
> reply.
> But the RSET is not cuaisng a reply, indiciating that SSL is already
> activated.
> 
> 
> So it would be good to know what port exactly the customer tested.

Hi Marcus,
customer has tested port 587, so SMTP. You were right.
Comment 20 Andrej Skorupa 2018-12-19 14:31:28 UTC
(In reply to Andrej Skorupa from comment #19)
> (In reply to Marcus Meissner from comment #18)
> > the current pure-ftpd has at least the patch we applied included.
> > 
> > RSET seems a mail command. If I ran it against a postfix on SLE11:
> > 
> > (echo STARTTLS ; echo RSET ; cat ) | netcat mailserver 25
> > 220 newverein.lst.de ESMTP Postfix
> > 220 2.0.0 Ready to start TLS
> > ... hangs
> > 
> > So the 2 220 codes are coming from SMTP, the initial reply and the STARTTLS
> > reply.
> > But the RSET is not cuaisng a reply, indiciating that SSL is already
> > activated.
> > 
> > 
> > So it would be good to know what port exactly the customer tested.
> 
> Hi Marcus,
> customer has tested port 587, so SMTP. You were right.

any updates please?
Comment 21 Marcus Meissner 2018-12-19 14:42:27 UTC
I think this turned out to be a non.issue. at least in my eyes.
Comment 22 Lumir Sliva 2019-01-08 11:07:25 UTC
(In reply to Marcus Meissner from comment #21)
> I think this turned out to be a non.issue. at least in my eyes.

Andrej is OoO, what should we tell the customer then? Can you be little bit verbose as why do you think its not an issue please?
Comment 23 Marcus Meissner 2019-01-08 14:53:36 UTC
if you run the example against a SMTP host it is expected it will return 2 codes with 2xx.

the first is the bannre line


220 host.example.com ESMTP Postfix
STARTTLS
220 2.0.0 Ready to start TLS

and then it will hang (as it expects TLS traffic)
Comment 24 Lumir Sliva 2019-01-14 08:31:23 UTC
(In reply to Marcus Meissner from comment #23)
> if you run the example against a SMTP host it is expected it will return 2
> codes with 2xx.
> 
> the first is the bannre line
> 
> 
> 220 host.example.com ESMTP Postfix
> STARTTLS
> 220 2.0.0 Ready to start TLS
> 
> and then it will hang (as it expects TLS traffic)

Thanks Marcus. I'll tell the customer.
Comment 26 Alexandros Toptsoglou 2019-07-03 11:32:22 UTC
all done