Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 75941 - net-misc/hylafax: hfaxd unauthorized login vulnerability
Summary: net-misc/hylafax: hfaxd unauthorized login vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa] koon 20050111
Keywords:
Depends on:
Blocks:
 
Reported: 2004-12-28 12:51 UTC by Thierry Carrez (RETIRED)
Modified: 2005-01-11 08:36 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
hylafax-hostvuln.patch (hylafax-hostvuln.patch,2.05 KB, patch)
2004-12-28 12:54 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2004-12-28 12:51:38 UTC
----------------------------------------
HylaFAX security advisory
11 Jan 2005

Subject:  HylaFAX hfaxd unauthorized login vulnerability

Introduction:
HylaFAX is a mature (est. 1991) enterprise-class open-source software package for sending and receiving facsimiles as well as for sending alpha-numeric pages.  It runs on a wide variety of UNIX-like platforms including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX, AIX, and HP-UX.  See http://www.hylafax.org

Problem Description and Impact:
HylaFAX hfaxd authenticates users against the hosts.hfaxd database.  The first field of a hosts.hfaxd database entry (the "client") has a syntax of "^username@hostname$" where "username" is supplied during the hfaxd protocol exchange, and "hostname" is the official host name or the dotted IP address.  Regular expressions are used to match usernames, hostnames, and addresses.  By tradition, if the entry does not have the "@" in it, then the entry field is understood to be the full hostname or full dotted IP address - authenticating any user from the specified host.
The problem is that hfaxd always authenticates against the hosts.hfaxd entry by comparing the string "username@hostname" with the client field, irrespective of the formatting of the hosts.hfaxd client field.  If there is a match (regex) between the string and the client field and no password is required (a subsequent entry field), then the login succeeds.  Thus, if an attacker can guess hosts.hfaxd entries that do not contain passwords (and most HylaFAX installations will likely contain "localhost" and "127.0.0.1"), then hfaxd will authenticate the attacker's login attempts if the attacker merely uses a username or configures their hostname to match the hosts.hfaxd entry.  Because hfaxd did not verify that hostnames outside of the local domain matched their resolved addresses before trusting them, "localhost" entries are therefore particularly vulnerable to "DNS spoofing".
All HylaFAX versions as far back as 4.0pl0 (1996) are vulnerable to unauthorized remote access of HylaFAX services when there are hosts.hfaxd entries without passwords.  HylaFAX installations are likely to have hosts.hfaxd entries without passwords, as it is the default.

Status:
HylaFAX.org has released HylaFAX version 4.2.1 which includes changes to hfaxd to keep it from erroniously matching usernames against hostname entries and verifying that hostnames match their resolved addresses before trusting them.  All HylaFAX users are strongly encouraged to upgrade.  The HylaFAX 4.2.1 source code is available at ftp://ftp.hylafax.org/source/hylafax-4.2.1.tar.gz
In the event that upgrading to 4.2.1 is not appropriate, the patch to fix HylaFAX hfaxd is available at http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=610
In the event that both patching and upgrading are not possible then firewalling techniques restricting access to port 4559 are strongly encouraged.  Administrators may also consider adding passwords to all entries in the hosts.hfaxd database that do not contain them.
Although no abuse of this vulnerability is known to HylaFAX development, recent postings to the public HylaFAX.org mailing lists have indicated problems with hosts.hfaxd entries that are associated with this vulnerability.  As any serious investigation into the nature of those problems would expose the vulnerability, this prompt response has been made.

Effect:
Some HylaFAX installations may actually utilize the weak hostname and username validation for authorized uses, although contrary to hosts.hfaxd documentation.  For example, hosts.hfaxd entries that may be common are

  192.168.0
  username:uid:pass:adminpass
  user@host

After updating, these entries will need to be changed in order to continue to function.  Respectively, the correct entries should be

  192.168.0.[0-9]+
  username@:uid:pass:adminpass
  user@host

Unless such maching of "username" with "otherusername" and "host" with "hostname" is desired, the proper form of these entries should include the delimiter and markers like this

  @192.168.0.[0-9]+$
  ^username@:uid:pass:adminpass
  ^user@host$

Thanks:
Many thanks go to Patrice Fournier of iFAX Solutions for discovery of the vulnerability (24 December) and the controlled reporting of it.  Thanks also go to Aidan Van Dyk of iFAX Solutions, whom I assisted, for developing the final fix (28 December).

Lee Howard
HylaFAX developer
------------------------------
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-12-28 12:53:00 UTC
Coordinated disclosure on 11 Jan 2005.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-12-28 12:54:18 UTC
Created attachment 47051 [details, diff]
hylafax-hostvuln.patch

Patch for 4.2.0
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-01-03 03:03:34 UTC
Another confidential vulnerability for you, Steve...

You need to prepare and test and new ebuild for hylafax with the attached patch, but please do not commit it to CVS, it must remain confidential for now. You can attach a tar with everything (ebuild and patch file) to this bug, and we'll call specific people in arches to test it so that hopefully it can be committed stable on the coordinated release date.
Comment 4 Mike Doty (RETIRED) gentoo-dev 2005-01-05 18:05:42 UTC
--- hylafax-4.2.0-r1.ebuild.orig        2005-01-05 20:03:46.120374101 -0600
+++ hylafax-4.2.0-r1.ebuild     2005-01-05 20:04:48.900910664 -0600
@@ -33,6 +33,7 @@
        epatch ${FILESDIR}/${P}-faxcron_uid.patch
        epatch ${FILESDIR}/${P}-tiff_version.patch
        epatch ${FILESDIR}/configure-gcc-3.4.patch
+       epatch ${FILESDIR}/hylafax-hostvuln.patch
 }
 
 src_compile() {

this works on amd64.  I won't commit it to the tree per your request
Comment 5 Steve Arnold archtester gentoo-dev 2005-01-05 19:06:51 UTC
The patch tests out on x86 okay as well.  I leave for a conference on Saturday, 
so KingTaco will commit the -r2 ebuild if we don't do it before I leave.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-01-06 00:57:33 UTC
Weeve or Gustavo: could you please test the patched ebuild and ensure it builds properly (and works) on sparc too ?

Guy: You can also test for hppa and report success/failure here.

The idea is to commit 4.2.0-r2 directly as KEYWORDS="x86 sparc hppa ~alpha ~amd64 ~ppc" on 2005/01/11.
Comment 7 Guy Martin (RETIRED) gentoo-dev 2005-01-06 12:47:03 UTC
I had to add a -fPIC fix to make it compile on my hppa. I've added it for all arches (see #55238).
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-01-10 01:55:30 UTC
Everyone : would be a good thing to be ready for the big date tomorrow with that one.

weeve/gustavoz: please test on sparc and report success
kingtaco: will you be available and ready to commit it tomorrow ?
Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev 2005-01-10 05:10:25 UTC
Green light for sparc.
Comment 10 Mike Doty (RETIRED) gentoo-dev 2005-01-10 06:42:44 UTC
just let me know when you want it to go in, I'll be available after 1700 CST(gmt-6)
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-01-11 00:37:04 UTC
kingtaco: it might be a good idea to add an ewarn about the hosts.hfaxd file losing backward compatibility. See "effect" in the Hylafax advisory draft.

It's not up on the Hylafax site yet, so we must wait for the time being.
Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev 2005-01-11 03:23:20 UTC
http://www.hylafax.org/cgi-bin/cvsweb.cgi/~checkout~/CHANGES

* fix CAN-2004-1182: hfaxd client/server authentication
  vulnerability (10 Jan 2005)
[...]
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-01-11 07:20:11 UTC
It's officially out :
http://marc.theaimsgroup.com/?l=hylafax&m=110545119911558&w=2

kingtaco: please commit the 4.2.0-r2 ebuild ASAP with KEYWORDS="x86 sparc hppa ~alpha ~amd64 ~ppc"
Comment 14 Mike Doty (RETIRED) gentoo-dev 2005-01-11 07:36:08 UTC
in cvs, stable on amd64 as well.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-01-11 08:36:44 UTC
GLSA 200501-21