Bug 20851 - miniupnpc new security issue CVE-2017-8798
Summary: miniupnpc new security issue CVE-2017-8798
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-05-13 21:22 CEST by David Walser
Modified: 2017-08-26 23:18 CEST (History)
6 users (show)

See Also:
Source RPM: miniupnpc-1.9.20151008-3.mga6.src.rpm
CVE: CVE-2017-8798
Status comment:

Attachments
A possible PoC for this issue (12.47 KB, text/plain)
2017-07-09 19:58 CEST, Len Lawrence 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-05-13 21:22:31 CEST 
A security issue fixed upstream in miniupnpc has been announced:
http://openwall.com/lists/oss-security/2017/05/11/2

The upstream commit to fix the issue is linked at the end of the message above (see [6]).

Mageia 5 is also affected.
David Walser 2017-05-13 21:22:39 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-05-13 21:40:20 CEST 
(In reply to David Walser from comment #0)
> A security issue fixed upstream in miniupnpc has been announced:
> http://openwall.com/lists/oss-security/2017/05/11/2
> 
> The upstream commit to fix the issue is linked at the end of the message
> above (see [6]).
> 
> Mageia 5 is also affected.

Also, so this should be filed against cauldron & MGA5TOO instead of to 
5 & MGA5TOO  ;-)

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Version: 5 => Cauldron
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2017-05-15 01:18:24 CEST 
Fixed in cauldron

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5
CC: (none) => mageia
CVE: (none) => CVE-2017-8798

Comment 3 David Walser 2017-05-25 01:59:18 CEST 
Ubuntu has issued advisories for this today (May 24):
https://www.ubuntu.com/usn/usn-3298-1/
https://www.ubuntu.com/usn/usn-3298-2/
Comment 4 David Walser 2017-06-01 12:19:36 CEST 
openSUSE has issued an advisory for this on May 31:
https://lists.opensuse.org/opensuse-updates/2017-05/msg00110.html
Comment 5 David Walser 2017-07-09 01:17:50 CEST 
Patched package uploaded for Mageia 5.

Advisory:
========================

Updated miniupnpc packages fix security vulnerabilities:

It was discovered that MiniUPnP incorrectly handled memory. A remote attacker
could use this issue to cause a denial of service or possibly execute arbitrary
code with privileges of the user running an application that uses the MiniUPnP
library (CVE-2017-8798).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8798
https://www.ubuntu.com/usn/usn-3298-1/
========================

Updated packages in core/updates_testing:
========================
miniupnpc-1.9.20141128-1.2.mga5
libminiupnpc12-1.9.20141128-1.2.mga5
libminiupnpc-devel-1.9.20141128-1.2.mga5

from miniupnpc-1.9.20141128-1.2.mga5.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 6 Len Lawrence 2017-07-09 19:56:16 CEST 
Had a look but it is not for me.

x86_64  Mate

$ urpmq --whatrequires lib64miniupnpc12 | sort |uniq
0ad
bitcoind
bitcoin-qt
dogecoind
dogecoin-qt
dolphin-emu
lib64eiskaltdcpp2.2
lib64miniupnpc12
lib64miniupnpc-devel
megaglest
miniupnpc

Could not make anything of that except possibly 0ad, which is a multi-player network game.  Installed that and started it under another user with the intention of playing it across the LAN but without knowing anything about games culture there was little chance of understanding how to set it up properly let alone play it.  Presumably it would need a server daemon of some kind attached to some port and then a couple of month's attention to the manual.  The local router has upnp enabled.    

$ urpmq --requires 0ad | sort | uniq | grep mini

0ad: libminiupnpc.so.12()(64bit)

There is a PoC (attached) which is just as opaque; there is no indication how to run it to show the vulnerability (CVE-2017-8798).
The following command generated a continuous stream of network monitoring data:
$ ./poc.py --listen <ip of user machine>:65000 --havoc

This is all very negative but might be of some assistance to whomsoever attempts this one.  megaglest is another game - maybe somebody knows it?

CC: (none) => tarazed25

Comment 7 Len Lawrence 2017-07-09 19:58:27 CEST 
Created attachment 9478 [details]
A possible PoC for this issue

Cannot comment on this.
Comment 8 PC LX 2017-08-26 21:50:05 CEST 
Installed and tested without issue.

Testing was done using upnpc command.
Used the router control panel to check the port forward was setup correctly.
Also, used a external system to connect to the forwarded port.

$ uname -a
Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep miniupnpc
lib64miniupnpc12-1.9.20141128-1.2.mga5
miniupnpc-1.9.20141128-1.2.mga5
$ upnpc -l
upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.1.1:2555/upnp/41ab011c-6596-3be4-8cdb-8fba129c3670/desc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.1.1:2555/upnp/20c65042-cc3d-3234-8de2-7b00c785b42d/WANIPConn1.ctl
Local LAN ip address : 192.168.1.3
Connection Type : IP_Routed
Status : Connected, uptime=1272773s, LastConnectionError : ERROR_NONE
  Time started : Sat Aug 12 02:53:42 2017
MaxBitRateDown : 0 bps   MaxBitRateUp 0 bps
ExternalIPAddress = 123.123.123.123
 i protocol exPort->inAddr:inPort description remoteHost leaseTime
<SNIP>
$ upnpc -a 192.168.1.3 22 2222 tcp
upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.1.1:2555/upnp/41ab011c-6596-3be4-8cdb-8fba129c3670/desc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.1.1:2555/upnp/20c65042-cc3d-3234-8de2-7b00c785b42d/WANIPConn1.ctl
Local LAN ip address : 192.168.1.3
ExternalIPAddress = 123.123.123.123
InternalIP:Port = 192.168.1.3:22
external 123.123.123.123:2222 TCP is redirected to internal 192.168.1.3:22 (duration=0)
$ upnpc -l | egrep 'TCP.*2222'
78 TCP  2222->192.168.1.3:22    'libminiupnpc' '' 0
$ # Checked in the router control panel that the port forwarding was setup correctly.
$ # Confirmed that the port forwarding was working by doing a external connection to the forwarded port.
$ upnpc -d 2222 tcp
upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.1.1:2555/upnp/41ab011c-6596-3be4-8cdb-8fba129c3670/desc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.1.1:2555/upnp/20c65042-cc3d-3234-8de2-7b00c785b42d/WANIPConn1.ctl
Local LAN ip address : 192.168.1.3
UPNP_DeletePortMapping() returned : 0
$ upnpc -l | egrep 'TCP.*2222'
$

CC: (none) => mageia
Whiteboard: (none) => MGA5-64-OK

Comment 9 Lewis Smith 2017-08-26 22:32:38 CEST 
@PC_LX: formidable test of a difficult package. Great work.
Advisory uploaded. Validating under current 1-OK-per-release policy.

Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 10 Mageia Robot 2017-08-26 23:18:30 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0313.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.