oss-sec mailing list archives
Re: CVE Request -- vsftpd -- Do not create network namespace per connection
From: Eugene Teo <eugene () redhat com>
Date: Tue, 07 Jun 2011 07:19:14 +0800
On 06/07/2011 12:19 AM, Jan Lieskovsky wrote:
Hello, Josh, Steve, vendors, It was found that vsftpd, Very Secure FTP daemon, when the network namespace (CONFIG_NET_NS) support was activated in the kernel, used to create a new network namespace per connection. A remote attacker could use this flaw to cause a memory pressure and denial of the vsftpd service. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629373 [2] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/720095 [3] https://bugzilla.redhat.com/show_bug.cgi?id=711134 This one being a bit tricky one -- from my understanding of the issue, vsftpd doesn't necessarily have a security flaw on its side. It's kernel issue / bug, which allows this to be used for vsftpd DoS: [4] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/720095/comments/31 [5] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/720095/comments/32 Short-term solution would be probably to address this on the vsftpd side, the long-term one then being to get this fixed in kernel. Though not sure, how it would be wrt to CVE identifier(s) assignment. Steve, could you advice here?
It is worth noting that for a local, unprivileged user to trigger this, they will need to have the CAP_SYS_ADMIN capability. So this limits the attack to some services like vsftpd. I see this more of a kernel issue as configuring vsftpd to set isolate_network=NO is not a long-term solution. Thanks, Eugene
Current thread:
- CVE Request -- vsftpd -- Do not create network namespace per connection Jan Lieskovsky (Jun 06)
- Re: CVE Request -- vsftpd -- Do not create network namespace per connection Greg KH (Jun 06)
- Re: CVE Request -- vsftpd -- Do not create network namespace per connection Chris Evans (Jun 06)
- Re: CVE Request -- vsftpd -- Do not create network namespace per connection Jan Lieskovsky (Jun 06)
- Re: CVE Request -- vsftpd -- Do not create network namespace per connection Josh Bressers (Jun 06)
- Re: CVE Request -- vsftpd -- Do not create network namespace per connection Eugene Teo (Jun 06)