lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1275423136.3021.737.camel@new-desktop>
Date: Tue, 01 Jun 2010 22:12:16 +0200
From: Nicolas Grégoire <nicolas.gregoire@...rri.fr>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: SFCB vulnerabilities

[=] Product overview

SBLIM SFCB is an Open Source implementation of a WBEM CIM broker. WBEM
is a set of technologies aimed to monitor and administer (larges) pools
of computing ressources, applications, hardware. It's used by computers
management tools like HP Systems Insight Manager, VMware vSphere or IBM
Director. SFCB usually listens on TCP ports 5988 (HTTP) or 5989 (HTTPS)
and is used in many Linux distributions and some VMware / Dell products.

[=] Vulnerabilities

* CVE-2010-1937 (SFCB bug #3001896) : pre-auth remote heap overflow
using a forged Content-Length header

When parsing a HTTP request, SFCB will use any positive Content-Length
value to allocate a buffer. Then, memcpy tries to copy the user-provided
POST data in this buffer. By sending a small value in the Content-Length
header and more data in the POST body, it's possible to overflow the
previously allocated heap buffer.

Vulnerable versions : up to 1.3.7

* CVE-2010-2054 (SFCB bug #3001915) : pre-auth remote integer overflow
using a forged Content-Length header

If the configuration option "httpMaxContentLength" is explicitly set to
0, SFCB will only check that the Content-Length value is positive and
lower than UINT_MAX and use it (adding 8) to allocate a buffer. Then,
memcpy tries to copy the user-provided POST data in this buffer. By
sending a value between UINT_MAX-7 and UINT_MAX-1, it is possible to
overflow a buffer of size 1 to 7.

Vulnerable versions : from 1.3.4 to 1.3.7

[=] Note about VMware products

VMware ESXi 3.5, ESXi 4 and ESX 4 are running by default a modified
version of SFCB (v1.3.3 in ESX 4). However they were tested as non
vulnerable :
- CVE-2010-1937 has been silently patched in WMware products
- CVE-2010-2054 doesn't affect versions lower than 1.3.4
 
[=] Mitigating factors

None :
- SSL authentication isn't used by SFCB
- bugs are triggered before any HTTP-layer credential check
- POST and M-POST are default methods used by WBEM

[=] Vectors

These vulnerabilities can be triggered by default on port TCP/5988
(HTTTP) or TCP/5989 (HTTPS), using POST or M-POST requests.

[=] Solution

Upgrade to version 1.3.8

[=] Links

SBLIM SFCB :
http://sourceforge.net/apps/mediawiki/sblim/index.php?title=Sfcb
WBEM :
http://en.wikipedia.org/wiki/Web-Based_Enterprise_Management

CVE-2010-1937 : 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1937
CVE-2010-2054 : 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2054

SFCB bug #3001896 : 
http://sourceforge.net/tracker/?func=detail&aid=3001896&group_id=128809&atid=712784
SFCB bug #3001915 : 
http://sourceforge.net/tracker/?func=detail&aid=3001915&group_id=128809&atid=712784
 

Regards,
Nicolas Grégoire / Agarri

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ