Bugzilla – Bug 808830
VUL-1: CVE-2013-1841: perl-Net-Server: insufficient hostname access checking
Last modified: 2024-04-23 13:14:17 UTC
is public, via oss-sec CVE-2013-1841 Date: Mon, 4 Mar 2013 20:31:14 +0100 (CET) From: Remi Gacogne <rgacogne-bugs@coredump.fr> Subject: [oss-security] Reverse lookup issue in Net::Server Hi, I think there is a security issue in the way the access control feature of Net::Server (http://search.cpan.org/perldoc?Net%3A%3AServer) works. Net::Server is used by various projects including Munin, Postgrey and SQLgrey. The issue lies in the fact that the allow / deny access control does not perform a valid DNS check when given a hostname parameter and the 'reverse_lookups' option is enabled. The current code only checks that the incoming connection source IP address has a reverse DNS matching the given hostname, but does not check that the hostname resolves back to this source IP address (see how the $prop->{'peerhost'} property is set in get_client_info(), lib/Net/Server.pm:553, then used in allow_deny(), lib/Net/Server.pm:597). As it is trivial for an attacker to be able to set his own source IP's reverse DNS, the current check is not safe (this probably matches CWE-807: Reliance on Untrusted Inputs in a Security Decision). I think that the valid way would be to do the same checks as Apache HTTPd does for the Allow / Deny directives (see do_double_reverse() and ap_get_remote_host() in server/core.c for more information): "It will do a reverse DNS lookup on the IP address to find the associated hostname, and then do a forward lookup on the hostname to assure that it matches the original IP address. Only if the forward and reverse DNS are consistent and the hostname matches will access be allowed." At the very least, the documentation of Net:Server should be updated to specify exactly what is checked by Net:Server access control, as many people seem to assume that the check is done in the same way as in Apache HTTPd. So far, I have been unable to reach the Net-Server maintener to discuss this matter. -- Regards, Remi Gacogne
bugbot adjusting priority
https://rt.cpan.org/Ticket/Display.html?id=83909
Can you perhaps ping the upstream ticket system? nothing seems to have happened so far, no new release. (not really important)
Affected packages: SLE-11-SP3: perl-Net-Server SLE-10-SP3-TERADATA: perl-Net-Server SLE-9-SP4: perl-Net-Server SLE-11-SP2: perl-Net-Server
(In reply to comment #4) > Can you perhaps ping the upstream ticket system? nothing seems to have happened > so far, no new release. (not really important) I just did.
Still no response to my ping: https://rt.cpan.org/Public/Bug/Display.html?id=83909#txn-1347684 No activity in the repo since May 12, 2014. https://github.com/rhandom/perl-net-server/commits/master
Still no upstream fix. JRF, see also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702914#36
Fixed in version just released version 2.011: * https://rt.cpan.org/Transaction/Display.html?id=2395145
created request id 291468 for SUSE:SLE-15:Update created request id 291469 for SUSE:SLE-12:Update Please note that this change adds a parameter that is disabled by default. To enable, set 'reverse_lookups=double' or 'double_reverse_lookups=1'.
Patch was sourced from: https://github.com/rhandom/perl-net-server/commit/dd7c587d44b40a225ad90f7559ebf00967f4e5fc Transferring over to security-team.
SUSE-SU-2023:0746-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 808830 CVE References: CVE-2013-1841 Sources used: openSUSE Leap 15.4 (src): perl-Net-Server-2.009-150000.3.3.1 Basesystem Module 15-SP4 (src): perl-Net-Server-2.009-150000.3.3.1 SUSE Linux Enterprise Real Time 15 SP3 (src): perl-Net-Server-2.009-150000.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0759-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 808830 CVE References: CVE-2013-1841 Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): perl-Net-Server-2.007-5.3.1 SUSE Linux Enterprise Server 12 SP5 (src): perl-Net-Server-2.007-5.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): perl-Net-Server-2.007-5.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.