COMMAND

    cfengine

SYSTEMS AFFECTED

    Every recent version except 1.6.0a11 released on 1st Oct 2000

PROBLEM

    Pekka Savola found following.  cfd daemon in GNU CFEngine contains
    several  format   string  vulnerabilities   in  syslog()    calls.
    Everyone, or if  access controls are  being used, accepted  hosts,
    can inject the network daemon with a message causing  segmentation
    fault.  As  cfd is almost  always run as  root due to  it's nature
    (centralized  configuration  management  etc.),  this can be quite
    lethal and lead into a root compromise.

    1.5.x and 1.6.0a10 were tested on Red Hat Linux; however, this  is
    not  part  of  Red  Hat  Linux  or  Powertools.  Debian, at least,
    includes cfengine as a package.

    Pekka tried to reproduce this on FreeBSD 3.4 or 4.1 -- no luck; he
    wouldn't be surprised if it was exploitable some way or the  other
    though.

    If access controls are used (this is not the default) in  cfd.conf
    or equivalent, the attacker must have access to an allowed  system
    first.   Spoofing would  probably also yield similar results;  the
    fact that there doesn't need not  to be any reply from the  server
    makes it easier.  Segmentation fault can be induced as follows:

        $ telnet cfdserver 5308
        Trying x.y.z.w...
        Connected to cfdserver.some.domain.
        Escape character is '^]'.
        CAUTH 1.1.1.1 myhostname root %s%s%s%s%s%s%s%s
        ^]
        telnet> quit
        Connection closed.

    where 1.1.1.1 is your IP address and myhostname is some resolvable
    hostname.   A  longer  string  of  %s's  can  also be used if that
    doesn't produce good results.

    If the  %s string  is not  long enough,  string like the following
    will be syslogged; this doesn't look good:

        cfdserver cfd[11330]: Reverse hostname lookup failed, host
        claiming to be 1.1.1.1 myhostname root
        cfdserver.some.domain(null)1.1.1.1 nev^M  was 1.1.1.1 s%s%s^M
        ^Aû½^QÀØÀôü¿0¼^D^HÀj ^Húì¿^Hý¿Àj

    In the end, cfd dies in a segmentation fault.

    As  you  can  set  %s%s%s  freely,  and it's passed almost without
    checking as-is to syslog(), it shouldn't be too difficult for  Joe
    Hacker to exploit  this.  Also,  other components of  cfengine use
    the same logging functions, so a local root exploit could also  be
    possible but those aren't as interesting as this and will be fixed
    at the same time.

SOLUTION

    Different fix was applied  to the newly released  1.6.0.a11 (alpha
    version).  There is an impression that there isn't going to be  an
    official fix for 1.5.x releases.

    Workaround  is  to  enable  access  controls  in  cfd.conf  and/or
    firewall off  TCP port  5308.   These can't  be considered  _good_
    workarounds as users  in the local  network/legit hosts can  still
    exploit the service.

    "Standard"  patch  to  syslog  calls  included.   It applies quite
    cleanly to both 1.5.x and 1.6.0aXX.

    diff -uNr cfengine-1.6.0.a10.orig/src/log.c cfengine-1.6.0.a10/src/log.c
    --- cfengine-1.6.0.a10.orig/src/log.c	Wed Sep  6 14:43:03 2000
    +++ cfengine-1.6.0.a10/src/log.c	Sun Oct  1 20:09:09 2000
    @@ -71,12 +71,12 @@

 		         if (LOGGING && IsPrivileged())
 			    {
    -			syslog(LOG_ERR,string,VFQNAME);
    +			syslog(LOG_ERR,"%s",string,VFQNAME);

 			    if (strlen(errstr) != 0)
 			       {
    -			   syslog(LOG_ERR,errstr,VFQNAME);
    -			   syslog(LOG_ERR,strerror(errno),VFQNAME);
    +			   syslog(LOG_ERR,"%s",errstr,VFQNAME);
    +			   syslog(LOG_ERR,"%s",strerror(errno),VFQNAME);
 			       }
 			    }
                          break;
    @@ -110,11 +110,11 @@
        case cflogonly:
                          if (LOGGING && IsPrivileged())
 			    {
    -			syslog(LOG_INFO,string,VFQNAME);
    +			syslog(LOG_INFO,"%s",string,VFQNAME);

 			    if ((errstr == NULL) || (strlen(errstr) > 0))
 			       {
    -			   syslog(LOG_ERR,errstr,VFQNAME);
    +			   syslog(LOG_ERR,"%s",errstr,VFQNAME);
 			       }
 			    }

    @@ -125,7 +125,7 @@

 		         if (LOGGING && IsPrivileged())
 			    {
    -			syslog(LOG_ERR,string,VFQNAME);
    +			syslog(LOG_ERR,"%s",string,VFQNAME);
 			    }

 		         if (string[strlen(string)-1] != '\n')
    @@ -141,8 +141,8 @@

 			    if (LOGGING && IsPrivileged())
 			       {
    -			   syslog(LOG_ERR,errstr,VFQNAME);
    -			   syslog(LOG_ERR,strerror(errno),VFQNAME);
    +			   syslog(LOG_ERR,"%s",errstr,VFQNAME);
    +			   syslog(LOG_ERR,"%s",strerror(errno),VFQNAME);
 			       }
                             }
 		         return;

    For SuSE Linux:

        SuSE-7.0: ftp://ftp.suse.com/pub/suse/i386/update/7.0/ap1/cfengine-1.5.4-82.i386.rpm
                  ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/cfengine-1.5.4-82.src.rpm
        SuSE-6.4: ftp://ftp.suse.com/pub/suse/i386/update/6.4/ap1/cfengine-1.5.4-82.i386.rpm
                  ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/cfengine-1.5.4-82.src.rpm
        SuSE-6.3: ftp://ftp.suse.com/pub/suse/i386/update/6.3/ap1/cfengine-1.5.4-82.i386.rpm
                  ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/cfengine-1.5.4-82.src.rpm
        SuSE-6.2: ftp://ftp.suse.com/pub/suse/i386/update/6.2/ap1/cfengine-1.5.4-82.i386.rpm
                  ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/cfengine-1.5.4-82.src.rpm
        SuSE-6.1: ftp://ftp.suse.com/pub/suse/i386/update/6.1/ap1/cfengine-1.5.4-82.i386.rpm
                  ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/cfengine-1.5.4-82.src.rpm
        SuSE-6.0: please use the update packages for the SuSE-6.1 distribution.
        SuSE-5.3: ftp://ftp.suse.com/pub/suse/i386/update/5.3/ap1/cfengine-1.5.4-87.i386.rpm
                  ftp://ftp.suse.com/pub/suse/i386/update/5.3/zq1/cfengine-1.5.4-87.src.rpm

        SuSE-7.0: ftp://ftp.suse.com/pub/suse/sparc/update/7.0/ap1/cfengine-1.5.4-83.sparc.rpm
                  ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/cfengine-1.5.4-83.src.rpm

        SuSE-6.4: ftp://ftp.suse.com/pub/suse/axp/update/6.4/ap1/cfengine-1.5.4-82.alpha.rpm
                  ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/cfengine-1.5.4-82.src.rpm
        SuSE-6.3: Please use the update packages for the SuSE-6.4 distribution.
        SuSE-6.1: ftp://ftp.suse.com/pub/suse/axp/update/6.1/ap1/cfengine-1.5.4-84.alpha.rpm
                  ftp://ftp.suse.com/pub/suse/axp/update/6.1/zq1/cfengine-1.5.4-84.src.rpm

        SuSE-7.0: ftp://ftp.suse.com/pub/suse/ppc/update/7.0/ap1/cfengine-1.5.4-85.ppc.rpm
                  ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/cfengine-1.5.4-85.src.rpm
        SuSE-6.4: ftp://ftp.suse.com/pub/suse/ppc/update/6.4/ap1/cfengine-1.5.4-82.ppc.rpm
                  ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/cfengine-1.5.4-82.src.rpm

    For Linux-Mandrake:

        Linux-Mandrake 7.1: 7.1/RPMS/cfengine-1.5.4-5mdk.i586.rpm
                            7.1/SRPMS/cfengine-1.5.4-5mdk.src.rpm

    There are precompiled binary packages of cfengine for some  NetBSD
    ports available from:

        ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/sysutils/cfengine/README.html

    If no precompiled binary is  available for your platform, you  can
    build your  own from  source.   First, make  sure that  you have a
    version of the pkgsrc hierarchy from 2nd October 2000 or later.