(Conectiva Issues Fix) Stunnel Leaked File Descriptor Lets Remote Authenticated Users Hijack the Stunnel Process
|
|
SecurityTracker Alert ID: 1007653 |
|
SecurityTracker URL: http://securitytracker.com/id/1007653
|
|
CVE Reference:
CAN-2003-0740
(Links to External Site)
|
Date: Sep 7 2003
|
Impact:
Modification of system information, Modification of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 3.24 and prior versions, 4.00
|
Description:
A vulnerability was reported in Stunnel. A leaked file descriptor allows a remote authenticated user to hijack the Stunnel server process.
It is reported that certain versions of Stunnel leak file descriptors. In particular, the file descriptor returned by the listen function is leaked, according to the report.
A remote authenticated user (with shell-like access on the target system) can fork a process, send a signal to the stunnel process, and then select the leaked file descriptor and write to it to take control of the stunnel process.
A demonstration exploit is provided in the Source Message.
|
Impact:
A remote authenticated user can take control of the stunnel process.
|
Solution:
Conectiva has released a fix.
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/stunnel-3.26-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/stunnel-3.26-1U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/stunnel-3.26-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/stunnel-3.26-1U80_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/stunnel-3.26-21517U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/stunnel-3.26-21517U90_1cl.src.rpm
|
Vendor URL: www.stunnel.org/ (Links to External Site)
|
Cause:
Resource error, State error
|
Underlying OS:
Linux (Conectiva)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Fri, 5 Sep 2003 18:13:58 -0300
Subject: [conectiva-updates] [CLA-2003:736] Conectiva Security Announcement - stunnel
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : stunnel
SUMMARY : File descriptor leak and SIGCHLD DoS vulnerabilities
DATE : 2003-09-05 18:09:00
ID : CLA-2003:736
RELEVANT
RELEASES : 7.0, 8, 9
- -------------------------------------------------------------------------
DESCRIPTION
Stunnel is a wrapper for network connections. It can be used to
tunnel an unencrypted network connection over a secure connection
(encrypted using SSL or TLS) or to provide a secure means of
connecting to services that do not natively support encryption.
This update fixes two vulnerabilities that affect stunnel versions
shipped with Conectiva Linux:
1. SIGCHLD Denial of Service (CAN-2002-1563)[1]
Henrik Eriksson found[2] a race in the code that handles the SIGCHLD
signal. This vulnerability affects stunnel when configured to listen
for incoming connections (instead of being invoked by inetd) and to
start a new child process to handle each new connection. A remote
attacker can exploit this vulnerability to bring the tunneled service
down.
2. File descriptor leak (CAN-2003-0740)[3]
Steve Grubb found[4] a file descriptor leak vulnerability in versions
prior to 3.26 of stunnel that allows a local attacker to hijack the
stunnel server.
Since this update brings a new version of stunnel (3.26), several
other fixes and minor changes are included as well[5].
SOLUTION
All stunnel users should upgrade.
Please note that after the upgrade all instances of stunnel and all
active network connections being served by it must be restarted
manually.
REFERENCES:
1.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1563
2.http://marc.theaimsgroup.com/?l=stunnel-users&m=103600188215117&w=2
3.http://www.securityfocus.com/archive/1/335996
4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0740
5.http://www.stunnel.org/news/
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/stunnel-3.26-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/stunnel-3.26-1U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/stunnel-3.26-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/stunnel-3.26-1U80_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/stunnel-3.26-21517U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/stunnel-3.26-21517U90_1cl.src.rpm
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE/WPyV42jd0JmAcZARApJVAKDBhvm9bXQ8GWEDMCbE0+zPs15K9wCgkdgb
gXbVi8CFgPUMfSCJ4gmADUs=
=yxsa
-----END PGP SIGNATURE-----
|
|
