Re: Fail2ban 0.8.9, Denial of Service (Apache rules only)

[Yves-Alexis Perez <corsac () debian org>]

Can someone assign a CVE for this fail2ban issue?

On sam., 2013-06-08 at 07:44 +0200, Krzysztof Katowicz-Kowalewski wrote:
> Version 0.8.9 (latest) of Fail2ban allows to perform remote denial of
> service for arbitrary chosen IP address. Address listed on Fail2ban's
> whitelist are not affected. The vulnerability exists in Apache rules
> and it is caused by improper validation of a log file by regular
> expression. Malicious user can easily inject his own data to analyzed
> logs and deceive monitoring engine.
>
> Affected files:
> /filter.d/apache-auth.conf
> /filter.d/apache-nohome.conf
> /filter.d/apache-noscript.conf
> /filter.d/apache-overflows.conf
>
> Time frames:
> 01.06.2013 - Cyril Jaquier (contact section) has been informed about the vulnerability (no response)
> 08.06.2013 - The vulnerability has been released to the public.
>
> More information, including proof of concept and patches is available here:
> https://vndh.net/note:fail2ban-089-denial-service

Thanks in advance,
-- 
Yves-Alexis

Attachment: signature.asc
Description: This is a digitally signed message part