• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Multiple Vendor Cfengine Format String Vulnerability

Severity: HIGH

Description:

Cfengine is a language-based system for testing and configuring unix-like systems attached to a TCP/IP network. cfd, the cfengine daemon component which serves as a remote-configuration client to cfengine, contains several improperly-designed calls to syslog(). As a result, trusted hosts (or any user, if access controls are not employed) may create and transmit a malicious message to the network daemon containing user-supplied format specifiers. At the very least, it is easy for a user to crash the service. By sending certain format specifiers, it is also possible for malicious users to write to portions of the program's stack and alter the flow of execution. If successful, an attcker can have arbitrary code execute with the privileges of the daemon (root).

The following is excerpted verbatim from the original bugtraq posting by Pekka Savola <Pekka.Savola@netcore.fi>:

"VERSIONS AND PLATFORMS AFFECTED:
--------------------------------

Every recent version except 1.6.0a11 released on 1st Oct 2000.

1.5.x and 1.6.0a10 were tested on Red Hat Linux; however, this is not
part of Red Hat Linux or Powertools. Debian, at least, includes cfengine
as a package.

I briefly tried to reproduce this on FreeBSD 3.4 or 4.1 -- no luck; I
wouldn't be surprised if it was exploitable some way or the other
though.

Not tested on other non-Linux platforms, but if you run cfd I suggest you
check it out no matter the platform."

Affected Products:

• Debian Linux 2.2.0
• GNU Cfengine 1.5.0x
• GNU Cfengine 1.5.3-4
• GNU Cfengine 1.6.0a10

References:

• Gnu: Cfengine-Tutorial

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.