|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: vsftpd: Enforce security checks against ALPACA attack | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Gianluca Gabrielli <gianluca.gabrielli> |
| Component: | Incidents | Assignee: | Peter Simons <peter.simons> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P2 - High | CC: | andreas.taschner, meissner |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/302848/#products | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | 1196386 | ||
| Bug Blocks: | 1187678 | ||
| Attachments: | vsftpd-no-tls1.3.patch | ||
|
Description
Gianluca Gabrielli
2021-06-24 12:33:33 UTC
From the changelog [0], I can assume the following points are the ones related to the mitigation of this attack: - Close the control connection after 10 unknown commands pre-login. - Reject any TLS ALPN advertisement that's not 'ftp'. - Add ssl_sni_hostname option to require a match on incoming SNI hostname. Without the sources available via a VCS (like git) it's quite hard to cherry-pick the right changes. Sources of vsftpd v3.0.4 can be downloaded here [1] and a comparison with the previous version is shown here [2], which can turn out to be helpful to address the changed LOCs responsible for the mitigation of the attack. @Peter, as maintainer of this package please help us to understand which are the affected packages and how can we backport the right changes? (In reply to Gianluca Gabrielli from comment #1) > From the changelog [0], I can assume the following points are the ones > related to the mitigation of this attack: > > - Close the control connection after 10 unknown commands pre-login. > - Reject any TLS ALPN advertisement that's not 'ftp'. > - Add ssl_sni_hostname option to require a match on incoming SNI hostname. > > Without the sources available via a VCS (like git) it's quite hard to > cherry-pick the right changes. Sources of vsftpd v3.0.4 can be downloaded > here [1] and a comparison with the previous version is shown here [2], which > can turn out to be helpful to address the changed LOCs responsible for the > mitigation of the attack. > > @Peter, as maintainer of this package please help us to understand which are > the affected packages and how can we backport the right changes? [0] https://security.appspot.com/vsftpd/Changelog.txt [1] https://security.appspot.com/downloads/vsftpd-3.0.4.tar.gz [2] https://fossies.org/diffs/vsftpd/3.0.3_vs_3.0.4/ Created attachment 857916 [details]
vsftpd-no-tls1.3.patch
vsftpd-no-tls1.3.patch
this little patch makes it build on openssl 1.1.0
Hi Peter can you give an update of the current status of this issue? I see the following related packages: Don't know the state of: - SUSE:SLE-12:Update/vsftpd 3.0.2 - SUSE:SLE-15-SP2:Update/vsftpd 3.0.3 - SUSE:SLE-15:Update/vsftpd 3.0.3 Upgraded to a non vulnerable version: - SUSE:SLE-12-SP5:Update/vsftpd 3.0.5 - SUSE:SLE-15-SP4:Update/vsftpd 3.0.5 - openSUSE:Factory/vsftpd 3.0.5 In this case we are good with the submitted patches: Already released: - SUSE:SLE-15-SP4:Update - SUSE:SLE-12-SP5:Update Submitted, to be released: - SUSE:SLE-15:Update - SUSE:SLE-15-SP2:Update Set as Won't Fix: - SUSE:SLE-11-SP1:Update - SUSE:SLE-12:Update No more actions are required from Peter, I close this incident and I will open it again in case something goes wrong with the two In Progress submissions. Thank you all. SUSE-SU-2022:3320-1: An update that solves one vulnerability, contains one feature and has four fixes is now available. Category: security (important) Bug References: 1021387,1052900,1187678,1187686,786024 CVE References: CVE-2021-3618 JIRA References: PM-3322 Sources used: openSUSE Leap 15.4 (src): vsftpd-3.0.5-150400.3.3.1 SUSE Linux Enterprise Module for Server Applications 15-SP4 (src): vsftpd-3.0.5-150400.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2022:3383-1: An update that solves one vulnerability, contains one feature and has four fixes is now available. Category: security (important) Bug References: 1021387,1052900,1187678,1187686,786024 CVE References: CVE-2021-3618 JIRA References: PM-3322 Sources used: SUSE Linux Enterprise Server 12-SP5 (src): vsftpd-3.0.5-47.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2022:3457-1: An update that solves one vulnerability, contains two features and has 6 fixes is now available. Category: security (important) Bug References: 1021387,1052900,1181400,1187678,1187686,786024,971784 CVE References: CVE-2021-3618 JIRA References: PM-3322,SLE-23896 Sources used: openSUSE Leap 15.3 (src): vsftpd-3.0.5-150200.12.9.1 SUSE Manager Server 4.1 (src): vsftpd-3.0.5-150200.12.9.1 SUSE Manager Retail Branch Server 4.1 (src): vsftpd-3.0.5-150200.12.9.1 SUSE Manager Proxy 4.1 (src): vsftpd-3.0.5-150200.12.9.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): vsftpd-3.0.5-150200.12.9.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): vsftpd-3.0.5-150200.12.9.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): vsftpd-3.0.5-150200.12.9.1 SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): vsftpd-3.0.5-150200.12.9.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): vsftpd-3.0.5-150200.12.9.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): vsftpd-3.0.5-150200.12.9.1 SUSE Enterprise Storage 7 (src): vsftpd-3.0.5-150200.12.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2022:3458-1: An update that solves one vulnerability, contains two features and has 6 fixes is now available. Category: security (important) Bug References: 1021387,1052900,1181400,1187678,1187686,786024,971784 CVE References: CVE-2021-3618 JIRA References: PM-3322,SLE-23895 Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise Server for SAP 15 (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise Server 15-LTSS (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): vsftpd-3.0.5-150000.7.19.1 SUSE Enterprise Storage 6 (src): vsftpd-3.0.5-150000.7.19.1 SUSE CaaS Platform 4.0 (src): vsftpd-3.0.5-150000.7.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2022:3888-1: An update that solves one vulnerability, contains one feature and has four fixes is now available. Category: security (important) Bug References: 1021387,1052900,1187678,1187686,786024 CVE References: CVE-2021-3618 JIRA References: PM-3322 Sources used: SUSE Linux Enterprise Server 12-SP5 (src): vsftpd-3.0.5-51.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. |