Gentoo Bug 176558 - net-misc/rarpd Denial of Service

Description:

Opened: 2007-04-30 12:02 0000

A vulnerability has been reported in iputils, which can be exploited by
malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error within rarpd when
handling certain packets. This can be exploited to stop the rarpd from
responding by sending specially crafted replies.

Solution:
Use in trusted network environments only.

Provided and/or discovered by:
Reported in a SUSE advisory.

------- Comment #1 From Pierre-Yves Rofes 2007-04-30 12:07:54 0000 -------

cc'ing herd and setting status (It's upstream, but it seems Suse has already
fixed it:
http://lists.suse.com/archive/suse-security-announce/2007-Apr/0007.html )

------- Comment #2 From Sune Kloppenborg Jeppesen 2007-04-30 12:37:06 0000 -------

According to SUSE changelog:

- ipsec-tools remote denial of service 

  A bug in the IKE daemon "racoon" allowed remote attackers to shut 
  down established tunnels (CVE-2007-1841). 

Somehow Secunia missed the CVE reference.

*** This bug has been marked as a duplicate of bug 173219 ***

------- Comment #3 From Pierre-Yves Rofes 2007-04-30 14:05:31 0000 -------

jaervosz: wrt this is not about the "ipsec-tools remote DoS" but the "rarpd
minor DoS". Given that rarpd is part of iputils, this issue still stands I
think.

------- Comment #4 From Sune Kloppenborg Jeppesen 2007-04-30 14:14:21 0000 -------

Oh, it was further down in the Changelog. I mixed up iputils and ipsec-tools
somehow. Thanks for pointing this out Pierre.

base-system please advise and bump as necessary.

------- Comment #5 From Sune Kloppenborg Jeppesen 2007-04-30 14:23:11 0000 -------

Suse has already patched this.

------- Comment #6 From SpanKY 2007-05-05 05:35:38 0000 -------

the rarpd in iputils is fine ... the suse report is talking about
net-misc/rarpd

------- Comment #7 From SpanKY 2007-05-05 05:50:02 0000 -------

i'm not sure we're affected ... the code in question is based on changes that
suse wrote when updating from libnet-1.0 to libnet-1.1 ...

either way, rarpd-1.1-r3 in portage with all of SuSE's fixes

------- Comment #8 From SpanKY 2007-05-05 05:50:17 0000 -------

oops, didnt mean to close

------- Comment #9 From Sune Kloppenborg Jeppesen 2007-05-05 06:34:58 0000 -------

Thx for the clarification Vapier.

If someone have the time I have a POC to test wether we're affected before
calling arches, just poke me.

------- Comment #10 From Raphael Marichez 2007-05-08 21:10:08 0000 -------

(In reply to comment #9)
> Thx for the clarification Vapier.
> 
> If someone have the time I have a POC to test wether we're affected before
> calling arches, just poke me.
> 

i fail to perform any interesting thing with this PoC and rarpd-1.1-r2. The
rarpd daemon memory doesn't grow at all, and it goes on responding. (either the
targetted ether address is in /etc/ethers or not).

I added an adequate entry in /etc/ethers, then i ran rarpd -v, and:

while ((1)) do; ./a.out; done

all it is doing is flooding my syslog.

x86, libnet-1.0.2a-r3, libpcap-0.9.5

------- Comment #11 From Sune Kloppenborg Jeppesen 2007-05-19 22:59:48 0000 -------

Since we can't reproduce I call a vote and vote NO GLSA.

------- Comment #12 From Matt Drew 2007-05-20 11:50:49 0000 -------

/vote no, can't reproduce (and rarpd is pretty rare in actual use as it is).

------- Comment #13 From Sune Kloppenborg Jeppesen 2007-05-20 11:55:38 0000 -------

Fixing severity level.

Two NO votes -> Closing with NO GLSA. Feel free to reopen if you disagree.

Bug 176558 depends on:			Show dependency tree
Bug 176558 blocks:			Show dependency tree

Bugzilla Bug 176558

net-misc/rarpd Denial of Service

Last modified: 2007-05-20 11:55:38 0000