NetBSD Security Advisory 2023-007: multiple vulnerabilities in ftpd(8)
16 November, 2023 by security-officer@netbsd.org | netbsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 NetBSD Security Advisory 2023-007 ================================= Topic: multiple vulnerabilities in ftpd(8) Version: NetBSD-current: affected prior to 2023-10-01 NetBSD 10.0_BETA: affected prior to 2023-10-01 NetBSD 9.3: affected NetBSD 9.2: affected NetBSD 9.1: affected NetBSD 9.0: affected NetBSD 8.2: affected NetBSD 8.1: affected NetBSD 8.0: affected tnftpd: prior to tnftpd-20231001 Severity: Remote unauthenticated attacker may get directory listing, potential buffer overflows. Fixed: NetBSD-current: 2023-09-30 NetBSD-10 branch: 2023-10-02 NetBSD-9 branch: 2023-10-02 NetBSD-8 branch: 2023-10-03 tnftpd: tnftpd-20231001 Please note that NetBSD releases prior to 8.2 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== A vulnerability in the NetBSD FTP server allows unauthenticated users to execute MLST and MLSD commands without authentication. This can lead to information leakage - unauthorized party may be able to download the listing of the current ftpd(8) directory. This vulnerability has been assigned CVE-2023-45198. Additionally, potential buffer overflow in count_users() and reading outside of allocated memory issues due to wrong struct type used in the pam_set_item() call have been identified. Technical Details ================= The NetBSD FTP server had a security flaw that allowed unauthenticated users to execute MLST and MLSD commands without requiring proper authentication. This could enable unauthorized users to retrieve directory listings and information about files on the server, potentially leading to an information leak. It should be noted that MLST and MLSD commands can be executed by unauthenticated user, it allows attacker to operate only on the current directory of the ftpd(8) process. Another issue is associated with count_users() function which potentially used uninitialized memory. If the file was previously empty, pids table used by the daemon is not set, the code however used pids[0] which is uninitialized in this case. In some scenarios it may lead to propagate garbage value from pids[0] to the file and cause writing outside of allocated memory. Additionally two other weaknesses have been identified. pam_set_item used with the PAM_SOCKADDR option expects sockaddr_storage structure. Instead, internal struct sockinet was used. Because it's length is shorter than sockaddr_storage, libpam was copying also memory outside of sockinet struct. Solutions and Workarounds ========================= As a temporary workaround, ftpd(8) might be disabled. To apply a fixed version from a releng build, fetch a fitting base.tgz from nycdn.NetBSD.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tgz tar -C / -xzpf /var/tmp/base.tgz ./usr/libexec/ftpd with the following replacements: REL = the release version you are using BUILD = the source date of the build. %DATE%* and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your ftpd(8) binaries by updating your source tree and rebuilding and installing a new version of ftpd(8). * NetBSD-current: Systems running NetBSD-current dated from before 2023-09-30 should be upgraded to NetBSD-current dated 2023-10-01 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): src/libexec/ftpd To update from CVS, re-build, and re-install ftpd(8): # cd src # cvs update -d -P src/libexec/ftpd # cd src/libexec/ftpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 9.*: Systems running NetBSD 9.* sources dated from before 2023-10-02 should be upgraded from NetBSD 9.* sources dated 2023-10-03 or later. The following files/directories need to be updated from the netbsd-9 branch: src/libexec/ftpd To update from CVS, re-build, and re-install ftpd(8): # cd src # cvs update -r netbsd-9 -d -P src/libexec/ftpd # cd src/libexec/ftpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 8.*: Systems running NetBSD 8.* sources dated from before 2023-10-03 should be upgraded from NetBSD 8.* sources dated 2013-10-04 or later. The following files/directories need to be updated from the netbsd-8 branch: src/libexec/ftpd To update from CVS, re-build, and re-install ftpd(8): # cd src # cvs update -r netbsd-8 -d -P src/libexec/ftpd # cd path/to/files # make USETOOLS=no cleandir dependall # make USETOOLS=no install * tnftpd (or older installations): Rebuild tnftpd from sources. The tnftpd-20231001 distribution is at: https://cdn.netbsd.org/pub/NetBSD/misc/tnftp/tnftpd-20231001.tar.gz https://cdn.netbsd.org/pub/NetBSD/misc/tnftp/tnftpd-20231001.tar.gz.asc Thanks To ========= Mateusz Kocielski (shm@) who analyzed this problem and supplied the fixes. Luke Mewburn (lukem@) and Taylor R Campbell (riastradh@) for reviewing patches. Revision History ================ 2023-11-16 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2023-007.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2023, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. -----BEGIN PGP SIGNATURE----- iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmVWMZEcHHNlY3VyaXR5 LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/wOlD/9koL3r4jHb8IPrZ+rU R6f2AfAG2KMx9Yg/H+aMIarEfKLlKKH+wi8Jig78hyfTygbOZ13MFyl7LF2cdvA6 IOPCnuxU9F+5V19o+R6OcQdcUklQMX0zxRWVc0rx6qTGJcW8LkzghbNM6/hwLLqc iSh0AOxhg8/xoF8HkUYljggJrQLwHReqjkdPFITn26lhKGIwbKEQ6Put46YLob1b fqZ5A5qdtRsV0PWIMIq+j9PMiAnspXrfYc4wHy2DhiPYY6wm4h3d5HqMN8SCPluI RjQNcxRgjwyZ8GqQQswEJCkzyya63ecrSj6ZrvGoQAAoRcEXUp9T5zez7UwiCgBm A6uv/VBgvmglGw+nnQX1JObMFjB80P3Rs0FBBH9IZfKuzSG1Ms+nd79RwWVQ+Y8T CZwnDAYQiHKeDpDMqTNaUq0ujOrCS2vd5xlrnRJd8wh5/kAOjTGpS0jtH9Ao1fKp BQbrX+utvJMgCI5ztp0QHLlvPeA55Kr6bxGr7qlhTX654EiAs2KzsAEOX+pUi17P kLLC71jhNUgCnmJOEOT9V+w2cvpgvC2W10BZDgJgS9kGfcf2j0h/s+gPuICKbUaa xNjT4kAD7dkvVpzy9waJ7lygpeslsyuU5w6Uxl9N+CCufBktFmDZGVKhlt5LPxVA twuKtferm7A+RI7ac9ut86F5Hw== =MshM -----END PGP SIGNATURE-----