[Nut-upsuser] [CVE-2012-2944] NUT vulnerability: upsd can be remotely crashed

Arnaud Quette aquette.dev at gmail.com
Wed May 30 19:34:37 UTC 2012


Dear NUT users,

I recently came across a MAJOR potential flaw in the network server
(upsd), that results, when exploited, in a crash of this server [1]

This is the first security flaw in this software, since it's very
beginning (~15 years)!
It is still potential, and not actual, since Sebastian's report is a
first-timer.
But it should be very seriously considered, and you should take all
the needed actions to circumvent this problem on your side!

This is a long standing (hidden) flaw, that affects versions 2.4.0 to 2.6.3.
This is especially true if upsd is not listening on localhost only,
and even more on an untrusted network, with potential attackers.
For more details on the root cause, refer to the Subversion fix [2]
and initial report [1].

A simple way to limit exposure is to limit upsd access, through:
- upsd.conf -> LISTEN directive: only list your local network
interface(s) that are on trusted network, or which access is really
needed
- firewall: only list authorized remote systems.

The current overall status is the following:

1) CVE entry

An official entry in the Common Vulnerabilities and Exposures system
(aka CVE [2]), has been allocated: CVE-2012-2944.
Official and mass publication will start popping around with this identifier.
This also means that "script kiddies" will be aware of this flaw, and
you may/will be even more vulnerable!

2) Source release

The development version has been patched yesterday (r3633 [1]).
I will finalize 2.6.4, at forced pace, for release in a few hours from now.

Users of source versions from 2.4.0 to 2.6.3, who can't update to
2.6.4, are encouraged to patch using [1].
This patch applies fine to any faulty version.

3) Binary packages

The following list of OS and distro have been notified:
http://oss-security.openwall.org/wiki/mailing-lists/distros

RedHat, Suse, Ubuntu and Debian have already acknowledged, and fixed
uploads are underway.
Users of other -non listed systems are encouraged to log a bug in
their OS system, to trigger a rapid resolution availability.

On my side, Debian packages are under verification by the Debian Security Team.
I've made everything possible to improve their confidence, and so
speed up the process.

I apologize for this issue, and will keep you informed of the situation.
Be assured that I'm doing my very best to avoid actual report, and to
fix the situation in the best and fastest way.
If I can help solving this even more, just let me know.

Best regards,
Arnaud
--
[1] https://alioth.debian.org/tracker/index.php?func=detail&aid=313636&group_id=30602&atid=411542
[2] http://trac.networkupstools.org/projects/nut/changeset/3633
[3] http://cve.mitre.org/
--
Network UPS Tools (NUT) Project Leader - http://www.networkupstools.org/
Debian Developer - http://www.debian.org
Free Software Developer - http://arnaud.quette.free.fr/
--
Subversion commit message r3633
---------------------------------------------

2012-05-29  Arnaud Quette <arnaud.quette at free.fr>

        * [r3633] common/parseconf.c: Fix CVE-2012-2944: upsd can be
          remotely crashed

          NUT server (upsd), from versions 2.4.0 to 2.6.3, are exposed to
          crashes when receiving random data from the network.

          This issue is related to the way NUT parses characters,
          especially from the network. Non printable characters were missed
          from strings operation (such as strlen), but still copied to the
          buffer, causing an overflow.

          Thus, fix NUT parser, to only allow the subset Ascii charset from
          Space to ~

          (Reported by Sebastian Pohle, Alioth bug #313636, CVE-2012-2944)



More information about the Nut-upsuser mailing list