Fail2ban Remote Denial of Service Vulnerability
BID:25117
Info
Fail2ban Remote Denial of Service Vulnerability
| Bugtraq ID: | 25117 |
| Class: | Design Error |
| CVE: |
CVE-2007-4321 |
| Remote: | Yes |
| Local: | No |
| Published: | Jul 28 2007 12:00AM |
| Updated: | Jan 09 2008 11:29PM |
| Credit: | Daniel B. Cid discovered this vulnerability. |
| Vulnerable: |
Gentoo Linux Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 Cyril Jaquier Fail2Ban 0.8 Cyril Jaquier Fail2Ban 0.7.5 Cyril Jaquier Fail2Ban 0.6.2 Cyril Jaquier Fail2Ban 0.6.1 Cyril Jaquier Fail2Ban 6.2 Cyril Jaquier Fail2Ban 0 |
| Not Vulnerable: | |
Discussion
Fail2ban Remote Denial of Service Vulnerability
Fail2ban is prone to a remote denial-of-service vulnerability because the application fails to properly ensure the validity of authentication-failure messages.
Successfully exploiting this issue allows remote attackers to add arbitrary IP addresses to the block list used by the application. This allows attackers to deny further network access to arbitrary IP addresses, denying service to legitimate users.
Fail2ban 0.8.0 and prior versions are vulnerable to this issue.
Fail2ban is prone to a remote denial-of-service vulnerability because the application fails to properly ensure the validity of authentication-failure messages.
Successfully exploiting this issue allows remote attackers to add arbitrary IP addresses to the block list used by the application. This allows attackers to deny further network access to arbitrary IP addresses, denying service to legitimate users.
Fail2ban 0.8.0 and prior versions are vulnerable to this issue.
Exploit / POC
Fail2ban Remote Denial of Service Vulnerability
Attackers use readily available network utilities to exploit this issue.
This issue may be demonstrated by connecting to an SSH server with 'nc', and sending the following string:
ROOT LOGIN REFUSED hi FROM 1.2.3.4
where '1.2.3.4' is an IP address to be blocked.
Attackers use readily available network utilities to exploit this issue.
This issue may be demonstrated by connecting to an SSH server with 'nc', and sending the following string:
ROOT LOGIN REFUSED hi FROM 1.2.3.4
where '1.2.3.4' is an IP address to be blocked.
Solution / Fix
Fail2ban Remote Denial of Service Vulnerability
Solution:
Please see the references for more information.
Cyril Jaquier Fail2Ban 0.7.5
Solution:
Please see the references for more information.
Cyril Jaquier Fail2Ban 0.7.5
-
Debian fail2ban_0.7.5-2etch1_all.deb
http://security.debian.org/pool/updates/main/f/fail2ban/fail2ban_0.7.5 -2etch1_all.deb
References
Fail2ban Remote Denial of Service Vulnerability
References:
References:
- Attacking Log analysis tools. (Daniel B. Cid)
- Bugzilla Bug 181214 (Gentoo)
- Fail2ban Home Page (Cyril Jaquier)