Home » Mailing list archives » netbsd-announce » 2008 » October » 27

NetBSD Security Advisory 2008-014: Cross-site request forgery in ftpd(8)

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: NetBSD Security-Officer <security-officer@...>
To: <netbsd-announce@...>
Subject: NetBSD Security Advisory 2008-014: Cross-site request forgery in ftpd(8)
Date: Monday, October 27, 2008 - 6:46 pm

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1


		 NetBSD Security Advisory 2008-014

		 =================================


Topic:		Cross-site request forgery in ftpd(8)


Version:	NetBSD-current:		affected

		NetBSD 4.0.*:		not affected

		NetBSD 4.0:		affected

		NetBSD 3.1.*:		affected

		NetBSD 3.1:		affected

		NetBSD 3.0.*:		affected

		NetBSD 3.0:		affected


Severity:	Cross-site request forgery


Fixed:		NetBSD-current:		September 13, 2008

		NetBSD-4-0 branch:	September 18, 2008

			(4.0.1 includes the fix)

		NetBSD-4 branch:	September 18, 2008

			(4.1 will include the fix)

		NetBSD-3-1 branch:	September 18, 2008

			(3.1.2 will include the fix)

		NetBSD-3-0 branch:	September 18, 2008

			(3.0.4 will include the fix)

		NetBSD-3 branch:	September 18, 2008

			(3.2 will include the fix)

		pkgsrc:			tnftpd-20081009 corrects the issue


Abstract

========


When accessing NetBSD servers running ftpd(8) certain commands can aide

attackers in executing CSRF attacks when e.g. using a web browser to

access ftp servers.


This vulnerability has been assigned CVE-2008-4247.


Technical Details

=================


When accessing NetBSD servers running ftpd(8) long commands are split

into multiple requests which can result in CSRF attacks.


Solutions and Workarounds

=========================


Only NetBSD systems with ftpd(8) enabled may be vulnerable to this issue.

ftpd(8) is not enabled by default in NetBSD generic installations.

As a temporary workaround disable ftpd(8) from the base OS and use the

tnftpd-20081009 package from pkgsrc which contains a fix.


The following instructions describe how to upgrade your ftpd

binaries by updating your source tree and rebuilding and installing

a new version of ftpd.


* NetBSD-current:


	Systems running NetBSD-current dated from before 2008-09-13

	should be upgraded to NetBSD-current dated 2008-09-14 or later.


	The following files/directories need to be updated from the

	netbsd-current CVS branch (aka HEAD):

		libexec/ftpd


	To update from CVS, re-build, and re-install ipsec-tools:


		# cd src

		# cvs update -d -P libexec/ftpd

		# cd libexec/ftpd

		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install


* NetBSD 4.*:


	Systems running NetBSD 4.* sources dated from before

	2008-09-18 should be upgraded from NetBSD 4.* sources dated

	2008-09-19 or later.


	The following files/directories need to be updated from the

	netbsd-4 or netbsd-4-0 branches:

		libexec/ftpd


	To update from CVS, re-build, and re-install ipsec-tools:


		# cd src

		# cvs update -r  -d -P libexec/ftpd

		# cd libexec/ftpd

		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install


* NetBSD 3.*:


	Systems running NetBSD 3.* sources dated from before

	2008-09-18 should be upgraded from NetBSD 3.* sources dated

	2008-09-19 or later.


	The following files/directories need to be updated from the

	netbsd-3, netbsd-3-0 or netbsd-3-1 branches:

		libexec/ftpd


	To update from CVS, re-build, and re-install ipsec-tools:


		# cd src

		# cvs update -r  -d -P libexec/ftpd

		# cd libexec/ftpd

		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install


Thanks To

=========

Maksymilian Arciemowicz is credited with the discovery of this issue.

Luke Mewburn for supplying the fixes and testing.


Revision History

================


	2008-10-27	Initial release


More Information

================


Advisories may be updated as new information becomes available.

The most recent version of this advisory (PGP signed) can be found at

  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.tx...


Information about NetBSD and NetBSD security can be found at

http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2008, The NetBSD Foundation, Inc.  All Rights Reserved.

Redistribution permitted only in full, unmodified form.


$NetBSD: NetBSD-SA2008-014.txt,v 1.4 2008/10/27 19:47:39 adrianp Exp $


-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.9 (NetBSD)


iQCVAwUBSQYcLz5Ru2/4N2IFAQL2bwP+OH9WZ4nyrTK51+t/Xh1zgMi6dS6xu0hx

Cz8EtOKgOp062a0r87ZXk3fKBzKewsc4LHPXwsmL5wRJ6UqoosvZUFEOVXsnxR1I

7i212TLph2WKQ09aeu87Z5u6ABCoIvTqxPUfX8G+v4zg71dlkwr/2hpk6KSl5apc

qw1m1Cy1X7g=

=Motz

-----END PGP SIGNATURE-----
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
NetBSD Security Advisory 2003-001: Encryption weakness in Op..., NetBSD Security Officer, (Tue Mar 4, 2:31 am)
Summary of Changes to the NetBSD Packages Collection in July..., Alistair Crooks, (Mon Sep 1, 2:51 am)
NetBSD Security Advisory 2004-003: OpenSSL 0.9.6 ASN.1 parse..., NetBSD Security-Officer, (Thu Feb 19, 9:36 am)
NetBSD Security Advisory 2008-014: Cross-site request forger..., NetBSD Security-Officer, (Mon Oct 27, 6:46 pm)
Planned network outage for netbsd.org servers Sat Aug 8th 16..., S.P.Zeidler, (Thu Aug 6, 3:21 am)
End of life for the NetBSD 1.5 branch, James Chacon, (Thu Jan 27, 12:04 am)
NetBSD Security Advisory 2005-006: Multiple vulnerabilities ..., NetBSD Security-Officer, (Mon Nov 7, 6:57 pm)
NetBSD Security Advisory 2009-002: tcpdump multiple denial o..., NetBSD Security Officer, (Tue Jun 23, 4:59 pm)
NetBSD Security Advisory 2008-006: Integer overflow in strfm..., NetBSD Security-Officer, (Mon Apr 21, 6:28 pm)
NetBSD 4.0 Release Candidate 3 available for download, Pavel Cahyna, (Fri Oct 19, 2:51 am)
Announcing NetBSD and the Google "Summer of Code" Projects 2..., Hubert Feyrer, (Thu May 25, 6:28 pm)
OpenBSD moderation removal, Christos Zoulas, (Tue Jul 30, 10:54 am)
NetBSD Bugathon: Not quite dead, Elad Efrat, (Sun Sep 24, 7:45 pm)