Bugzilla – Bug 686590
VUL-0: CVE-2011-1575: new pure-ftpd version fix STARTTLS issues similar to CVE-2011-0411
Last modified: 2019-07-03 11:32:22 UTC
From the pure-ftpd site: Fix a STARTTLS flaw similar to Postfix’s CVE-2011-0411. If you’re using TLS, upgrading is recommended. So we need to have another update round.
Upstream [1] points to the patch [2] [1] http://archives.pureftpd.org/archives.cgi?100:mss:3910:201103:cpeojfkblajnpinkeadd [2] https://github.com/jedisct1/pure-ftpd/commit/65c4d4ad331e94661de763e9b5304d28698999c4 It's trivial, so I'm working on it atm.
The SWAMPID for this issue is 40116. This issue was rated as moderate. Please submit fixed packages until 2011-04-25. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
sle-10-sp3: 11483, sle-11-sp1: 11481 11.2: 66838, 11.3: 66835, 11.4: 66836, factory: updated to .30
I will ask on oss-sec whether this deserves a own CVE.
This bug (686590) was mentioned in https://build.opensuse.org/request/show/66835 https://build.opensuse.org/request/show/66836 https://build.opensuse.org/request/show/66838
CVE-2011-1575
reproducer: 1. set up TLS for pure-ftpd check that it works by telnet ftphost 21 user ftp starttls (should not report code 500) 2. testcase (echo USER ftp ; echo STARTTLS ;echo QUIT; cat ) | netcat grape.suse.de 21 should NOT quit the connection.
for 1: ... /usr/share/doc/packages/pure-ftpd/README.TLS has openssl req -x509 -nodes -newkey rsa:1024 -keyout \ /etc/ssl/private/pure-ftpd.pem \ -out /etc/ssl/private/pure-ftpd.pem as self signed key generation command. The config file /etc/pure-ftpd/pure-ftpd.conf needs TLS 1. Test with: telnet ftpserver 21 auth tls which should give: 231 AUTH OK. (then you need to kill telnet as it wants SSL traffic) for 2: (echo "auth tls" ; echo "quit" ; cat ) | netcat ftpserverhost 21 should not QUIT the ftp connection. I was however not able to get this to work for the affected case.
Update released for: pure-ftpd, pure-ftpd-debuginfo, pure-ftpd-debugsource Products: openSUSE 11.2 (debug, i586, x86_64) openSUSE 11.3 (debug, i586, x86_64) openSUSE 11.4 (debug, i586, x86_64)
Update released for: pure-ftpd, pure-ftpd-debuginfo Products: SLE-SAP-APL 10-SP3 (x86_64) SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: pure-ftpd, pure-ftpd-debuginfo Products: SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: pure-ftpd, pure-ftpd-debuginfo, pure-ftpd-debugsource Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
all released
Can this bug be reopened pls? Customer with SLES11 SP4 for SAP reports that vulnerability still exists, check via splunk tool: STARTTLS\r\nRSET\r\n response: 220 Ok 250 Ok Thank you.
postfix SUSE Linux Enterprise 11 2.9.4-0.28.2 postfix-2.9.4-0.28.2 Thu Sep 1 20:11:17 2016 pure-ftpd SUSE Linux Enterprise 11 1.0.43-29.1 pure-ftpd-1.0.43-29.1 Tue Oct 23 11:59:35 2018
reopen for review
did they test pure-ftpd or postfix?
the current pure-ftpd has at least the patch we applied included. RSET seems a mail command. If I ran it against a postfix on SLE11: (echo STARTTLS ; echo RSET ; cat ) | netcat mailserver 25 220 newverein.lst.de ESMTP Postfix 220 2.0.0 Ready to start TLS ... hangs So the 2 220 codes are coming from SMTP, the initial reply and the STARTTLS reply. But the RSET is not cuaisng a reply, indiciating that SSL is already activated. So it would be good to know what port exactly the customer tested.
(In reply to Marcus Meissner from comment #18) > the current pure-ftpd has at least the patch we applied included. > > RSET seems a mail command. If I ran it against a postfix on SLE11: > > (echo STARTTLS ; echo RSET ; cat ) | netcat mailserver 25 > 220 newverein.lst.de ESMTP Postfix > 220 2.0.0 Ready to start TLS > ... hangs > > So the 2 220 codes are coming from SMTP, the initial reply and the STARTTLS > reply. > But the RSET is not cuaisng a reply, indiciating that SSL is already > activated. > > > So it would be good to know what port exactly the customer tested. Hi Marcus, customer has tested port 587, so SMTP. You were right.
(In reply to Andrej Skorupa from comment #19) > (In reply to Marcus Meissner from comment #18) > > the current pure-ftpd has at least the patch we applied included. > > > > RSET seems a mail command. If I ran it against a postfix on SLE11: > > > > (echo STARTTLS ; echo RSET ; cat ) | netcat mailserver 25 > > 220 newverein.lst.de ESMTP Postfix > > 220 2.0.0 Ready to start TLS > > ... hangs > > > > So the 2 220 codes are coming from SMTP, the initial reply and the STARTTLS > > reply. > > But the RSET is not cuaisng a reply, indiciating that SSL is already > > activated. > > > > > > So it would be good to know what port exactly the customer tested. > > Hi Marcus, > customer has tested port 587, so SMTP. You were right. any updates please?
I think this turned out to be a non.issue. at least in my eyes.
(In reply to Marcus Meissner from comment #21) > I think this turned out to be a non.issue. at least in my eyes. Andrej is OoO, what should we tell the customer then? Can you be little bit verbose as why do you think its not an issue please?
if you run the example against a SMTP host it is expected it will return 2 codes with 2xx. the first is the bannre line 220 host.example.com ESMTP Postfix STARTTLS 220 2.0.0 Ready to start TLS and then it will hang (as it expects TLS traffic)
(In reply to Marcus Meissner from comment #23) > if you run the example against a SMTP host it is expected it will return 2 > codes with 2xx. > > the first is the bannre line > > > 220 host.example.com ESMTP Postfix > STARTTLS > 220 2.0.0 Ready to start TLS > > and then it will hang (as it expects TLS traffic) Thanks Marcus. I'll tell the customer.
all done