Bug 10550 - fail2ban new security issue CVE-2013-2178
: fail2ban new security issue CVE-2013-2178
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: All Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/554872/
: MGA2TOO has_procedure mga3-64-ok mga3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-06-17 21:34 CEST by David Walser
Modified: 2014-05-08 18:06 CEST (History)
2 users (show)

See Also:
Source RPM: fail2ban-0.8.8-6.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-06-17 21:34:27 CEST
Debian has issued an advisory on June 16:
http://www.debian.org/security/2013/dsa-2708

Reproducible: 

Steps to Reproduce:
Comment 1 Remco Rijnders 2013-06-19 06:10:51 CEST
This problem should be fixed in fail2ban-0.8.8-6.1.mga3 and fail2ban-0.8.6-3.2.mga2, both available in their respective updates_testing repositories.

Only people using fail2ban to monitor their apache log files are potentially affected by this DoS-possibility.

More information on this vulnerability, including an explanation and the fix applied, can be found at https://vndh.net/note:fail2ban-089-denial-service
Comment 2 claire robinson 2013-06-19 12:43:49 CEST
Remco I notice this is set to Cauldron, has Cauldron been updated now?

If it has I'll alter the bug. We can't push updates unless Cauldron has been done first.
Comment 3 Remco Rijnders 2013-06-19 12:51:58 CEST
Hi Claire,

I pushed version 0.8.10 to Cauldron this morning, which has this fix applied in it already. Thanks!
Comment 4 claire robinson 2013-06-19 13:09:16 CEST
Thanks
Comment 5 claire robinson 2013-06-19 13:17:49 CEST
Could you list rpms please aswell as the srpms above. Testing is full of kde at the moment so it's almost impossible for us to guess them.

Also, is there a CVE for this now? Could you give an advisory please. Luigi12 is busy with $dayjob so be nice if we can lighten the load a little for him.
Comment 6 Remco Rijnders 2013-06-19 14:08:21 CEST
Advisory:
======================
Updated fail2ban package fix DoS-vulnerability

Krzysztof Katowicz-Kowalewski discovered a vulnerability in Fail2ban, a log monitoring and system which can act on attack by preventing hosts to connect to specified services using the local firewall.

When using Fail2ban to monitor Apache logs, improper input validation in log parsing could enable a remote attacker to trigger an IP ban on arbitrary addresses, thus causing a denial of service (CVE-2013-2178)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2178
http://www.debian.org/security/2013/dsa-2708
https://vndh.net/note:fail2ban-089-denial-service
======================

Updated packages in core/updates_testing:
======================
fail2ban-0.8.6-3.2.mga2
fail2ban-0.8.8-6.1.mga3

SRPMS:
======================
fail2ban-0.8.6-3.2.mga2
fail2ban-0.8.8-6.1.mga3
Comment 7 David Walser 2013-06-19 20:25:53 CEST
Thanks Remco!

Just adjusting some minor formatting things with the advisory, but thanks for doing that.  Just so you know what I changed below, we usually limit the width to approx. 78 characters, I usually put the other distro advisory last in the references, and the SRPM names get a .src.rpm at the end.

Advisory:
========================

Updated fail2ban package fixes security vulnerability:

Krzysztof Katowicz-Kowalewski discovered a vulnerability in Fail2ban, a log
monitoring and system which can act on attack by preventing hosts to connect
to specified services using the local firewall.

When using Fail2ban to monitor Apache logs, improper input validation in log
parsing could enable a remote attacker to trigger an IP ban on arbitrary
addresses, thus causing a denial of service (CVE-2013-2178).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2178
https://vndh.net/note:fail2ban-089-denial-service
http://www.debian.org/security/2013/dsa-2708
========================

Updated packages in core/updates_testing:
========================
fail2ban-0.8.6-3.2.mga2
fail2ban-0.8.8-6.1.mga3

from SRPMS:
fail2ban-0.8.6-3.2.mga2.src.rpm
fail2ban-0.8.8-6.1.mga3.src.rpm
Comment 8 claire robinson 2013-06-20 08:26:03 CEST
Remotely exploitable DOS so raising priority
Comment 9 David Walser 2013-06-20 21:34:50 CEST
RedHat has rated as "moderate," so following suit.
Comment 10 claire robinson 2013-06-25 15:45:26 CEST
Some issues with default config Remco, i'll create a new bug for it though. Mainly paths in /etc/fail2ban/jail.conf and also default actions using sendmail.
Comment 11 claire robinson 2013-06-25 16:38:47 CEST
Checking the 'Affected Files' list here https://vndh.net/note:fail2ban-089-denial-service found in /etc/fail2ban/ the shipped regex's are the same (text match without any positional checks).

Confirmed after update that they now use ^%(_apache_error_client)s which is now defined in filter.d/apache-common.conf

Added the jails as below and started the server.

[apache-auth]

enabled  = true
filter   = apache-auth
action   = shorewall
logpath  = /var/log/httpd/error_log

[apache-noscript]

enabled  = true
filter   = apache-noscript
action   = shorewall
logpath  = /var/log/httpd/error_log

[apache-overflows]

enabled  = true
filter   = apache-overflows
action   = shorewall    
logpath  = /var/log/httpd/error_log

[apache-nohome]

enabled  = true
filter   = apache-nohome  
action   = shorewall
logpath  = /var/log/httpd/error_log

Confirmed the affected jails loaded OK with 
# systemctl status fail2ban.service

Tested by manually sending lines to the log file and confirming no action.

# echo '[Sat Jun 25 14:36:42 2013] [error] [client 192.168.33.1] File does not exist: /srv/http/site/[client 192.168.0.1] user root not found' >> /var/log/httpd/error_log
Comment 12 claire robinson 2013-06-25 16:44:23 CEST
bug 10617 created for the default config issues
Comment 13 claire robinson 2013-06-28 09:43:18 CEST
Testing complete mga3 32

Tested successfully with ssh-iptables jail. Used incorrect password to log in to ssh several times and was blocked.
Comment 14 claire robinson 2013-06-28 12:01:30 CEST
testing complete mga2 32 & 64

Validating. Advisory in comment 7 uploaded.

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Thanks!
Comment 15 Nicolas Vigier 2013-07-01 21:21:03 CEST
http://advisories.mageia.org/MGASA-2013-0192.html

Note You need to log in before you can comment on or make changes to this bug.