Re: Reverse lookup issue in Net::Server

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/04/2013 12:36 PM, Russ Allbery wrote:
> Remi Gacogne <rgacogne-bugs () coredump fr> writes:
>
> > I think there is a security issue in the way the access control
> > feature of Net::Server
> > (http://search.cpan.org/perldoc?Net%3A%3AServer) works. 
> > Net::Server is used by various projects including Munin, Postgrey
> > and SQLgrey.
>
> > The issue lies in the fact that the allow / deny access control
> > does not perform a valid DNS check when given a hostname
> > parameter and the 'reverse_lookups' option is enabled.  The
> > current code only checks that the incoming connection source IP
> > address has a reverse DNS matching the given hostname, but does
> > not check that the hostname resolves back to this source IP
> > address (see how the $prop->{'peerhost'} property is set in
> > get_client_info(), lib/Net/Server.pm:553, then used in
> > allow_deny(), lib/Net/Server.pm:597).  As it is trivial for an
> > attacker to be able to set his own source IP's reverse DNS, the
> > current check is not safe (this probably matches CWE-807:
> > Reliance on Untrusted Inputs in a Security Decision).
>
> This is a very weak security measure, but yes, the need to check
> the reverse DNS results with a forward DNS query to make the
> security check at all useful has been well-known going all the way
> back to the days when TCP wrappers was the UNIX firewalling system
> of choice.  I remember discussion of this in security contexts in
> 1994, and I'm sure it was an old discussion even then.

Yup. Please use CVE-2013-1841 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRPpYkAAoJEBYNRVNeJnmTo74P/j9Yn/ESKT4ALfNJoAISZgIT
YSCewtRaMqI+LDr11Rg6kLC9NHO8BKsyo3DvlbEgFITpwkmCCOJKZOvR6PbFm9Ot
reLseaegLL6y7qDXgAi97hGjWgq2i+vIi+agyfSy1lhzpnR9bk6aa/rdbxxtERPH
N1CbKFpBvZ6RLHDtBtgEGqMznoswG8JIk5l/q15qLvnXgG1VA3H8PL/ZPsHUQ1iR
95tOKXWeHw0ZysK2mwwQHbv6xLxo1owpvILqbOMN7x5Jx/WgusahfjDhQ9eyUbpy
Ffxceha4M5LI8FgavALMFYMvAcymFkkjjuG08z/VhYa2/7FMqqF0gXIq4zuVKzAe
VJqAt0cd5B6Nx9Kff5f/Yx3WkoZaj+9ErTkIv1O3Rd+X6ubW5j8PdVpKn0hOGEL2
XKnNdOkKT6ZtWeRqfck1PZCPw4LUu/gBRNVl4vgr2QVPbRIRDjT5+PksIjd6U+dA
lHgz54FXX+X0Yqy4djhZXD1fC9LRahThkHws1U7GjAMcFzVdoGLjfoAFT7temdzF
iKpMCcCDoB9H1Pl03cJWk7pPKbZHSgRqYPlnqf6PNmTmJlYCGcqZorihU+S9xw2d
ziIO+75QPuxvVVb8Hbtv8RHuJbndqSaFtjncbn0MQ1bVU+/JdQQchy4GPlvrrtvi
kDHwPyl55Mrvy0lQAh7X
=5u6Y
-----END PGP SIGNATURE-----