| Summary: | Honeyd Security Advisory 2004-001: Remote Detection Via Simple Probe Packet (effect all honeyd versions < 0.8) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michael Boman (RETIRED) <mboman> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | Keywords: | SECURITY |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | http://www.honeyd.org/ | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
net-analyzer/honeyd 0.8 was just commited to CVS. GLSA write-up is in progress. Tried to create a GLSA with http://dev.gentoo.org/~plasmaroo/glsa-test/, but it seems to have failed with: Warning: Could not commit GLSA to pool; this is currently being worked on as the server Apache configuration does not permit writing to my home directory! Below is the XML output that the "Confirm" function spitted out (from the same webpage): <?xml version="1.0" encoding="utf-8"?> <?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?> <?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="<!-- Insert ID here! -->"> <title>Honeyd Remote Detection Via Simple Probe Packet</title> <synopsis> Identification of Honeyd installations allows an adversary to launch attacks specifically against Honeyd. No remote root exploit is currently known. </synopsis> <product type="ebuild">honeyd</product> <announced>January 21, 2004</announced> <revised>January 21, 2004: 01</revised> <bug>38934</bug> <access>remote</access> <affected> <package name="net-analyzer/honeyd" auto="yes" arch="*"> <unaffected range="eq">0.8</unaffected> <vulnerable range="lt">0.8</vulnerable> </package> </affected> <background> <p> Honeyd is a virtual honeypot daemon that can simulate virtual hosts on unallocated IP addresses. </p> </background> <description> <p> A bug in handling NMAP fingerprints caused Honeyd to reply to TCP packets with both the SYN and RST flags set. Watching for replies, itis possible to detect IP addresses simulated by Honeyd. </p> </description> <impact type="low"> <p> Although there are no public exploits known for Honeyd, the detection of Honeyd IP addresses may in some cases be undesirable. </p> </impact> <workaround> <p> Honeyd 0.8 has been released to address this issue. In addition, Honeyd 0.8 drops privileges if permitted by the configuration file and contains command line flags to force dropping of privileges. </p> </workaround> <resolution> <p> Update to honeyd version 0.8 # emerge sync # emerge =net-analyzer/honeyd-0.8 </p> </resolution> <references> <uri link="http://www.honeyd.org/adv.2004-01.asc">Honeyd Security Advisory 2004-001</uri> </references> </glsa> I've slightly changed the XML [ http://dev.gentoo.org/~plasmaroo/glsa-test/frame-view.php?id=200401-02 ] and used a ">=" operator instead of "==" and put <code> tags around the emerge commands. Looks fine otherwise. Ned, can you approve this and I'll send this out? Are there any steps that should be preformed in upgrading the conf files? like does the user need to run an etc-update or anything? If not then it looks good to go. honeyd does not come with any standard configuration files at all. I have included tons of examples from 0.7a release, but so far it doesn't even come with a init script. This is to limit the expose that "this is a gentoo box just installed honeyd" stuff.. Belive it or not, most people does not play with the configs if they really don't have to. So no, no etc-update stuff to take care of. Ok changing Product: to GLSA.. Send when ready plasmaroo. Done - sent and the XML is now in CVS and will be on the website whenever the next cycle happens. http://lists.netsys.com/pipermail/full-disclosure/2004-January/015995.html |
Honeyd Security Advisory 2004-001 ================================= Topic: Remote Detection Via Simple Probe Packet Version: All versions prior to Honeyd 0.8 Severity: Identification of Honeyd installations allows an adversary to launch attacks specifically against Honeyd. No remote root exploit is currently known. Details: ========= Honeyd is a virtual honeypot daemon that can simulate virtual hosts on unallocated IP addresses. A bug in handling NMAP fingerprints caused Honeyd to reply to TCP packets with both the SYN and RST flags set. Watching for replies, it is possible to detect IP addresses simulated by Honeyd. Although there are no public exploits known for Honeyd, the detection of Honeyd IP addresses may in some cases be undesirable. Solutions: ========== A new version of Honeyd has been released to address this issue. The source code for Honeyd 0.8 can downloaded from http://www.citi.umich.edu/u/provos/honeyd/ In addition, Honeyd 0.8 drops privileges if permitted by the configuration file and contains command line flags to force dropping of privileges. Nontheless, it is suggested to run Honeyd in a chroot environment under a sandbox like Systrace. Thanks To ========= Anonymous for information about the detection problem. More Information: ================= More information on Honeyd can be found at http://www.honeyd.org/