J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: CFEngine CFServD Transaction Packet Buffer Overrun Vulnerability

Severity: CRITICAL

Description:

GNU cfengine is software for automating administration and maintenance of large networks. It is available for Unix and Linux variants.

cfengine is prone to a stack-based buffer overrun vulnerability. This issue may be exploited by remote attackers who are able to send malicious transaction packets to cfservd. cfservd is typically configured to run on a central master server, which may have some degree of authority over other systems in the network.

This issue is due to insufficient bounds checking of data that is read in during a transaction with a remote user. In particular, the BusyWithConnection() function in the cfservd.c source file passes externally supplied data in a 4096 byte stack-based buffer to the ReceiveTransaction() function in net.c. A value for the message length is then read from the socket by ReceiveTransaction(). The message length and buffer are then passed to the RecvSocketStream() function. If the message length is more than 4096 bytes, then adjacent regions of memory will be corrupted with the superfluous data. In this manner it is possible to corrupt stack variables such as an instruction pointer with attacker-supplied values, allowing for control of execution flow and execution of malicious instructions embedded in memory by the attacker.

The vulnerability may be exploited to execute arbitrary code with the privileges of cfservd. A denial of service may also be the result of exploitation attempts as cfservd is multi-threaded and may not be configured to restart itself via a super-server such as inetd.

Affected Products:

  • GNU Cfengine 2.0.0.0
  • GNU Cfengine 2.0.1
  • GNU Cfengine 2.0.2
  • GNU Cfengine 2.0.3
  • GNU Cfengine 2.0.4
  • GNU Cfengine 2.0.5
  • GNU Cfengine 2.0.5b1
  • GNU Cfengine 2.0.5pre
  • GNU Cfengine 2.0.5pre2
  • GNU Cfengine 2.0.6
  • GNU Cfengine 2.0.7
  • GNU Cfengine 2.0.7p1
  • GNU Cfengine 2.0.7p2
  • GNU Cfengine 2.0.7p3
  • GNU Cfengine 2.1.0.0a6
  • GNU Cfengine 2.1.0.0a8
  • GNU Cfengine 2.1.0.0a9

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.