| Summary: | dev-perl/Net-Server: Reverse lookup issue (CVE-2013-1841) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | minor | CC: | kentnl, perl |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2013/03/04/10 | ||
| See Also: | https://rt.cpan.org/Public/Bug/Display.html?id=83909 | ||
| Whiteboard: | B4 [upstream+] | ||
| Package list: | Runtime testing required: | --- | |
Package removed from tree per [1]. [1]: https://archives.gentoo.org/gentoo-dev/message/b3b302aae2c6bf249f11995bbc4ec5a4 Wasn't really removed, was renamed to dev-perl/Net-Server to track upstream naming. So that means this is still an issue in my understanding. Sorry for the confusion. Nothing upstream, nothing at debian, nothing at redhat Should anything ever happen, then maybe here: https://github.com/rhandom/perl-net-server Upstream have cut a new release in August 2017, alas, nothing in it fixes this issue as far as I can tell. |
From ${URL} : I think there is a security issue in the way the access control feature of Net::Server (http://search.cpan.org/perldoc?Net%3A%3AServer) works. Net::Server is used by various projects including Munin, Postgrey and SQLgrey. The issue lies in the fact that the allow / deny access control does not perform a valid DNS check when given a hostname parameter and the 'reverse_lookups' option is enabled. The current code only checks that the incoming connection source IP address has a reverse DNS matching the given hostname, but does not check that the hostname resolves back to this source IP address (see how the $prop->{'peerhost'} property is set in get_client_info(), lib/Net/Server.pm:553, then used in allow_deny(), lib/Net/Server.pm:597). As it is trivial for an attacker to be able to set his own source IP's reverse DNS, the current check is not safe (this probably matches CWE-807: Reliance on Untrusted Inputs in a Security Decision). I think that the valid way would be to do the same checks as Apache HTTPd does for the Allow / Deny directives (see do_double_reverse() and ap_get_remote_host() in server/core.c for more information): "It will do a reverse DNS lookup on the IP address to find the associated hostname, and then do a forward lookup on the hostname to assure that it matches the original IP address. Only if the forward and reverse DNS are consistent and the hostname matches will access be allowed." At the very least, the documentation of Net:Server should be updated to specify exactly what is checked by Net:Server access control, as many people seem to assume that the check is done in the same way as in Apache HTTPd.