Bug 11090 - nmap new security issue fixed in 6.40 (CVE-2013-4885)
: nmap new security issue fixed in 6.40 (CVE-2013-4885)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/565087/
: mga3-64-ok mga3-32-ok has_procedure
: Triaged, validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-08-27 17:29 CEST by Paul Blackburn
Modified: 2013-10-17 22:02 CEST (History)
5 users (show)

See Also:
Source RPM: nmap
CVE:


Attachments

Description Paul Blackburn 2013-08-27 17:29:31 CEST
ref: http://seclists.org/nmap-announce/2013/1

"From: Fyodor <fyodor () nmap org>
Date: Mon, 19 Aug 2013 14:50:05 -0700
Hi Folks.  It has been a while since the last stable Nmap release, but
I'm pleased to release Nmap 6.40 and I think you'll consider it worth
the wait!"
Comment 1 Manuel Hiebel 2013-08-27 18:59:06 CEST
looks like there is no security fix, usualy we don't update such package which could bring new bugs, let see that which maintainer
Comment 2 Paul Blackburn 2013-08-27 20:12:17 CEST
I think this may be considered a security fix:

"
 o [NSE] Oops, there was a vulnerability in one of our 437 NSE scripts.  If
  you ran the (fortunately non-default) http-domino-enum-passwords script
  with the (fortunately also non-default) domino-enum-passwords.idpath
  parameter against a malicious server, it could cause an arbitrarily named
  file to to be written to the client system. Thanks to Trustwave researcher
  Piotr Duszynski for discovering and reporting the problem.  We've fixed
  that script, and also updated several other scripts to use a new
  stdnse.filename_escape function for extra safety. This breaks our record
  of never having a vulnerability in the 16 years that Nmap has existed, but
  that's still a fairly good run! [David, Fyodor]
"
(source: http://seclists.org/nmap-announce/2013/1 )
Comment 3 Manuel Hiebel 2013-08-27 20:24:37 CEST
indeed and a patch is available https://bugzilla.redhat.com/show_bug.cgi?id=995634 in case off
Comment 4 David Walser 2013-08-28 18:28:05 CEST
Fedora has issued an advisory for this on August 15:
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114768.html

There is also an upstream advisory, including PoC details:
http://packetstormsecurity.com/files/122719/TWSL2013-025.txt
Comment 5 Dave Hodgins 2013-08-28 19:49:57 CEST
Mageia 3 is not susceptible to the security bug.

It just returns
| http-domino-enum-passwords:   
|_  ERROR: Failed to process results

so testing of an update will be limited to ensuring nmap works.
Comment 6 Guillaume Rousse 2013-09-01 16:23:08 CEST
I'm not convinced of the interest of an update, if there is no vulnerability... Anyway, I just submitted nmap-6.25-3.1.mga3 with fedora patch applied in updates_testing.
Comment 7 David Walser 2013-09-01 17:28:40 CEST
Maybe the PoC doesn't work or wasn't used correctly?

Is the Mageia 2 nmap package not vulnerable to this?
Comment 8 David Walser 2013-09-01 17:30:05 CEST
Thanks Guillaume, BTW!  :o)

Packages currently uploaded:
nmap-6.25-3.1.mga3
nmap-frontend-6.25-3.1.mga3

from nmap-6.25-3.1.mga3.src.rpm
Comment 9 David Walser 2013-10-04 18:43:52 CEST
Getting the PoC to work isn't just a matter of running a command, but also getting the server it's run against to deliver a certain response.  I'm not exactly sure how to get it to do that.  This is a low-severity issue, and re-diffing the patch for Mageia 2 appears to be non-trivial.  Let's update Mageia 3.

Advisory:
========================

Updated nmap packages fix security vulnerability:

It is possible to write arbitrary files to a remote system, through a specially
crafted server response for NMAP http-domino-enum-passwords.nse script from
nmap before 6.40 (CVE-2013-4885).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4885
http://packetstormsecurity.com/files/122719/TWSL2013-025.txt
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114768.html
========================

Updated packages in core/updates_testing:
========================
nmap-6.25-3.1.mga3
nmap-frontend-6.25-3.1.mga3

from nmap-6.25-3.1.mga3.src.rpm
Comment 10 claire robinson 2013-10-07 15:08:47 CEST
Advisory 11090.adv uploaded to svn.
Comment 11 Paul Blackburn 2013-10-08 10:36:20 CEST
testing on x86_64 Mageia 3:

   nmap-6.25-3.1.mga3.x86_64.rpm
   nmap-frontend-6.25-3.1.mga3.x86_64.rpm
Comment 12 Paul Blackburn 2013-10-09 11:57:42 CEST
Tested on x86_64 Mageia 3:

    nmap-6.25-3.1.mga3.x86_64.rpm
    nmap-frontend-6.25-3.1.mga3.x86_64.rpm

This patched Nmap 6.25 seems to be working fine.

Unable to test the fix for the specific vulnerability discovered
by Piotr Duszynski because unable to recreate the following:

    "It is possible to write arbitrary files to a remote system, through a
     specially crafted server response for NMAP http-domino-enum-passwords.nse
     script (from the official Nmap repository)."
     [source: http://packetstormsecurity.com/files/122719/TWSL2013-025.txt ]


    "Remediation Steps:
     The vendor has released an official patch for this vulnerability.  It is
     recommended to upgrade to Nmap 6.40."
     [source: http://packetstormsecurity.com/files/122719/TWSL2013-025.txt ]

Alternatively, one may download Nmap 6.40 rpms from insecure.org.
Comment 13 claire robinson 2013-10-10 11:54:05 CEST
Thanks Paul, are you able to test i586 also?
Comment 14 claire robinson 2013-10-14 09:52:41 CEST
Testing complete mga3 32

# nmap -O 192.168.1.*

nmap-frontends tested with zenmap to perform an 'Intense scan'.


Validating. Advisory uploaded in comment 10.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!
Comment 15 Thomas Backlund 2013-10-17 22:02:52 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0305.html

Note You need to log in before you can comment on or make changes to this bug.