oss-sec mailing list archives
CVE Request for Icecast 2.3.3, 2.4.0, 2.4.1, fixed in 2.4.2
From: "Thomas B. Rücker" <thomas () ruecker fi>
Date: Wed, 08 Apr 2015 13:03:24 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A new version of Icecast was released, following the discovery of a remote denial of service vulnerability by Juliane Holzt earlier today. Affected Icecast versions: 2.3.3(first release with stream_auth) 2.4.0 2.4.1 Fix released in: 2.4.2 We do not release fixes for: 2.3.3: EOL 2.4.0: not necessary, as 2.4.1 was a bugfix release for 2.4.0. On 04/08/2015 12:52 PM, "Thomas B. Rücker" wrote:
Today we became aware of a bug in the Icecast code handling source client URL-authentication and are releasing a security fix. The bug was discovered by Juliane Holzt, who we'd like to thank for bringing this to our attention and providing us with further details.
[...]
The bug can only be triggered if "stream_auth" is being used, for example: <mount> <mount-name>/test.ogg</mount-name> <authentication type="url"> <option name="stream_auth" value="http://localhost/auth"/> </authentication> </mount> This means, that all installations that use a default configuration are NOT affected.The default configuration only uses <source-password>. Neither are simple mountpoints affected that use <password>. A workaround, if installing an updated package is not possible, is to disable "stream_auth"and use <password> instead. As far as we understand the bug only leads to a simple remote denial of service. The underlying issue is a null pointer dereference. For clarity: No remote code execution should be possible, server just
segfaults.
Proof of concept: curl "http://example.org:8000/admin/killsource?mount=/test.ogg" If the server is configured as above, then it will segfault.A source client does not need to be connected to that mount point. As Juliane points out: "This only happens when making a request WITHOUT login credentials." This means, that sadly exploiting this does not require any authentication, just the knowledge of a mount point configured with stream_auth. Original Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120 Xiph.org ticket: https://trac.xiph.org/ticket/2191 Sources: http://downloads.xiph.org/releases/icecast/icecast-2.4.2.tar.gz SHA256 aa1ae2fa364454ccec61a9247949d19959cb0ce1b044a79151bf8657fd673f4f git-tag: release-2.4.2 As usual there are up to date packages available for most mainstream distributions. We've moved from my personal project to an official Xiph.org project on openSUSE OBS: https://build.opensuse.org/package/show/multimedia:xiph/icecast Individual repositories are here: A copy of the openSUSE OBS multimedia signing key is here: http://icecast.org/multimedia-obs.key The Windows version will be updated later today.
[...]
We are requesting a CVE ID through oss-security and I will update the ticket once we have received it.
Thanks in advance Thomas B. Ruecker Icecast maintainer -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlUlJxsACgkQfkVKO9VkYGno+QCeMgppXgELGbuU8asfEKUH+yn2 XZkAnAx2j9qJPTNOb8+FMnMe5TwLWdYI =f+Dp -----END PGP SIGNATURE-----
Current thread:
- CVE Request for Icecast 2.3.3, 2.4.0, 2.4.1, fixed in 2.4.2 Thomas B. Rücker (Apr 08)
- Re: CVE Request for Icecast 2.3.3, 2.4.0, 2.4.1, fixed in 2.4.2 Thomas B. Rücker (Apr 08)
- Re: CVE Request for Icecast 2.3.3, 2.4.0, 2.4.1, fixed in 2.4.2 cve-assign (Apr 08)