oss-sec mailing list archives

Re: CVE-Request - pen issues

From: cve-assign () mitre org
Date: Thu, 13 Mar 2014 15:40:02 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

webfile = "/tmp/webfile.html";

2> /tmp/penctl.cgi


Use CVE-2014-2387 for both issues involving files in the /tmp directory.

    3.  When a control-socket is configured (via "-C ip:port" added
       to the pen command line) a user who can connect to that port
       can

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741370

there is no documentation implying that using a control-socket is
dangerous.

pen.1

-C \fIport\fR
Specifies a control port where the load balancer listens for commands.


This seems to be an opportunity for security improvement, not a
vulnerability. It appears that the design goal was to listen for
commands in a way that could be acceptable on a server with
sufficiently restricted access, and not acceptable in arbitrary
environments. "port where the load balancer listens for commands" seems
sufficiently descriptive for a reasonable person to immediately wonder
who can send commands. Furthermore, the example in question:

  sudo pen 4444 localhost:9000 -C 127.0.0.1:5043

suggests that the person is aware that "a control port" means a TCP
port, not some other type of port with obvious permission-based
restrictions. A CVE assignment could be made if there were an
implementation error (e.g., the user specifies listening on 127.0.0.1
but the code actually listens on all interfaces). A CVE assignment
might also be possible for some types of design problems, but they'd
need to be considerably more surprising and the documentation would
need to be considerably more misleading.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTIgjhAAoJEKllVAevmvmsvz4H/1zljdDh/JUE42uOb29uw1Mx
/gCsx2tnLs5g/U8OHBC0YYHM4CdUHLmyWiKbG1aN7Hn1FpXb4js3VlncbyQEdkpt
MSl13vQeDVdLdAUvXhg37sn+yhniT7x0/sSvy5dMB00fBNNUYDPFj4VZF16S/cv+
v06593VmtYw3EGwBJFtlgXv/cvqGZcSlu/f/Iv+m3tWQtcr8g/XjC5pwhUXMBtSa
R2FSJRxpTMQHzRK/5TOZ6mEg/Nr2JCPgRhWHeg69BIaUFjX+/6J2WUTm/Jgmxolb
auxQSiskVVuGifmUzkV2ZhD5y+4M1aZ0IO5HdjG8FdRT/cBnXbtYEImOuadA3ec=
=nmY2
-----END PGP SIGNATURE-----

Current thread:

CVE-Request - pen issues Steve Kemp (Mar 12)
- Re: CVE-Request - pen issues cve-assign (Mar 13)
- <Possible follow-ups>
- Re: Re: CVE-Request - pen issues Steve Kemp (Mar 13)