499802 – (CVE-2013-7176) <net-analyzer/fail2ban-0.8.12 : Client IP Address Spoofing Weaknesses (CVE-2013-7176)

Bug 499802 (CVE-2013-7176) - <net-analyzer/fail2ban-0.8.12 : Client IP Address Spoofing Weaknesses (CVE-2013-7176)

Summary: <net-analyzer/fail2ban-0.8.12 : Client IP Address Spoofing Weaknesses (CVE-20...

Status:	RESOLVED FIXED

Alias:	CVE-2013-7176

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/56691/
Whiteboard:	B4 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-01-30 16:27 UTC by Agostino Sarubbo
Modified:	2014-06-01 16:01 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-01-30 16:27:36 UTC

From ${URL} :

Description

Some weaknesses have been reported in Fail2ban, which can be exploited by malicious people to conduct 
spoofing attacks.

1) Multiple errors in regular expressions within the cyrus-imap filter can be exploited to e.g. spoof 
client IP addresses and subsequently cause arbitrary IP addresses to be banned.

2) Two errors in regular expressions within the postfix filter can be exploited to e.g. spoof client IP 
addresses and subsequently cause arbitrary IP addresses to be banned.

3) Some errors in regular expressions within unspecified filters can be exploited to e.g. spoof client IP 
addresses and subsequently cause arbitrary IP addresses to be banned.

The weaknesses are reported in versions prior to 0.8.11.


Solution:
Update to version 0.8.11 or later.

Provided and/or discovered by:
1, 2) US-CERT credits Steven Hiscocks.
3) Reported by the vendor.

Original Advisory:
Fail2ban:
https://github.com/fail2ban/fail2ban/blob/master/ChangeLog

US-CERT (VU#686662):
http://www.kb.cert.org/vuls/id/686662


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2014-01-30 21:58:42 UTC

0.8.11 should fix this, but 0.8.12 is out and should fix[1] the fix.


[1] https://github.com/fail2ban/fail2ban/releases/tag/0.8.12

Comment 2 Jeroen Roovers (RETIRED) gentoo-dev

2014-01-30 22:09:21 UTC

Arch teams, please test and mark stable:
=net-analyzer/fail2ban-0.8.12
Targeted stable KEYWORDS : amd64 hppa ppc ppc64 x86

Comment 3 Jeroen Roovers (RETIRED) gentoo-dev

2014-02-01 11:42:10 UTC

Stable for HPPA.

Comment 4 Agostino Sarubbo gentoo-dev

2014-02-01 22:45:59 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2014-02-01 22:47:56 UTC

x86 stable

Comment 6 Agostino Sarubbo gentoo-dev

2014-02-02 11:05:29 UTC

ppc stable

Comment 7 Agostino Sarubbo gentoo-dev

2014-02-09 08:24:03 UTC

ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 8 Chris Reffett (RETIRED) gentoo-dev

2014-02-09 14:32:02 UTC

GLSA vote: yes.

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2014-02-09 15:01:20 UTC

CVE-2013-7176 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7176):
  config/filter.d/postfix.conf in the postfix filter in Fail2ban before 0.8.11
  allows remote attackers to trigger the blocking of an arbitrary IP address
  via a crafted e-mail address that matches an improperly designed regular
  expression.

Comment 10 Sergey Popov gentoo-dev

2014-02-11 09:12:47 UTC

Added to existing GLSA draft

Comment 11 Mikle Kolyada (RETIRED) archtester

2014-05-15 18:44:43 UTC

Cleanup already done be jer.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2014-06-01 16:01:02 UTC

This issue was resolved and addressed in
 GLSA 201406-03 at http://security.gentoo.org/glsa/glsa-201406-03.xml
by GLSA coordinator Chris Reffett (creffett).