Bug 1176437 (CVE-2020-6097) - VUL-0: CVE-2020-6097: atftp: An exploitable denial of service vulnerability exists in the atftpd daemon functionality of atftp 0.7.git20120829-3.1+b1. A specially crafted sequence of RRQ-Multicast requests trigger an assert() call resulting
Summary: VUL-0: CVE-2020-6097: atftp: An exploitable denial of service vulnerability e...
Status: RESOLVED FIXED
Alias: CVE-2020-6097
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/267097/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-6097:7.5:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-11 06:01 UTC by Marcus Meissner
Modified: 2024-05-07 12:41 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2020-09-11 06:01:48 UTC 
CVE-2020-6097

An exploitable denial of service vulnerability exists in the atftpd daemon
functionality of atftp 0.7.git20120829-3.1+b1. A specially crafted sequence of
RRQ-Multicast requests trigger an assert() call resulting in denial-of-service.
An attacker can send a sequence of malicious packets to trigger this
vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6097
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-6097.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6097
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029
Comment 1 Pedro Monreal Gonzalez 2020-10-01 08:20:39 UTC 
I can't reproduce the failure yet with a multicast read request:

$ atftp --trace --option multicast --get -r $file $ip
Trace mode on.
Option multicast = 
sent RRQ <file: kk, mode: octet <multicast: >>
timeout: retrying...
[...]
tftp: aborting
Comment 2 Pedro Monreal Gonzalez 2020-10-01 08:25:39 UTC 
The bug report shows a 33 errno. I'll try a "too large argument" to try to trigger it.
Comment 3 Marcus Meissner 2020-10-21 11:59:28 UTC 
any updates?
Comment 4 Pedro Monreal Gonzalez 2020-10-21 12:09:54 UTC 
(In reply to Marcus Meissner from comment #3)
> any updates?

I couldn't reproduce it and there is not much info about how to do that from upstream. I'll try other approach. Fuzzers and compile options...
Comment 5 Pedro Monreal Gonzalez 2020-10-21 15:03:32 UTC 
None of the SLE codestreams are affected by this bug, as we ship version 0.7.0 there and the function sockaddr_print_addr() is not present and there is also no assert() function call.

In TW and Leap 15.2, we ship version 0.7.2 that has this function but I still can't reproduce it.
Comment 6 Marcus Meissner 2020-10-21 15:12:29 UTC 
i will mark SLE as not affected for now.
Comment 8 Pedro Monreal Gonzalez 2020-10-21 18:08:38 UTC 
And a test case:
   https://sourceforge.net/u/peterkaestle/atftp/ci/b39751cd542750e4a364c97cd7d5eb2758a2f998/
Comment 9 Pedro Monreal Gonzalez 2020-10-21 18:41:29 UTC 
Factory submission:
   https://build.opensuse.org/request/show/843270

Leap 15.2 submission:
   https://build.opensuse.org/request/show/843271
Comment 11 Swamp Workflow Management 2020-10-25 20:13:21 UTC 
openSUSE-SU-2020:1736-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1176437
CVE References: CVE-2020-6097
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    atftp-0.7.2-lp152.2.3.1
Comment 12 OBSbugzilla Bot 2021-06-25 08:50:24 UTC 
This is an autogenerated message for OBS integration:
This bug (1176437) was mentioned in
https://build.opensuse.org/request/show/902297 15.3 / atftp
https://build.opensuse.org/request/show/902298 Backports:SLE-15-SP2 / atftp