CVE-2005-1911
CVSS5.0
发布时间 :2005-06-09 00:00:00
修订时间 :2008-09-05 16:50:24
NMCOPS    

[原文]The fetchnews NNTP client in leafnode 1.11.2 and earlier can hang while waiting for input that never arrives, which allows remote NNTP servers to cause a denial of service (news loss).


[CNNVD]Leafnode 拒绝服务攻击漏洞(CNNVD-200506-068)

        leafnode 1.11.2及早期版本中的fetchnews NNTP客户端软件在等待的输入无法到达时,将应用程序挂起,这样远程NNTP服务器就可触发拒绝服务攻击(新闻丢失)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:leafnode:leafnode:1.9.25
cpe:/a:leafnode:leafnode:1.9.44
cpe:/a:leafnode:leafnode:1.10.0
cpe:/a:leafnode:leafnode:1.9.29
cpe:/a:leafnode:leafnode:1.11.1
cpe:/a:leafnode:leafnode:1.9.32
cpe:/a:leafnode:leafnode:1.9.28
cpe:/a:leafnode:leafnode:1.9.30
cpe:/a:leafnode:leafnode:1.9.37
cpe:/a:leafnode:leafnode:1.9.26
cpe:/a:leafnode:leafnode:1.9.35
cpe:/a:leafnode:leafnode:1.9.21
cpe:/a:leafnode:leafnode:1.9.33
cpe:/a:leafnode:leafnode:1.9.19
cpe:/a:leafnode:leafnode:1.9.31
cpe:/a:leafnode:leafnode:1.9.52
cpe:/a:leafnode:leafnode:1.9.22
cpe:/a:leafnode:leafnode:1.9.47
cpe:/a:leafnode:leafnode:1.9.40
cpe:/a:leafnode:leafnode:1.9.23
cpe:/a:leafnode:leafnode:1.9.45
cpe:/a:leafnode:leafnode:1.9.24
cpe:/a:leafnode:leafnode:1.9.38
cpe:/a:leafnode:leafnode:1.9.41
cpe:/a:leafnode:leafnode:1.9.34
cpe:/a:leafnode:leafnode:1.9.42
cpe:/a:leafnode:leafnode:1.9.43
cpe:/a:leafnode:leafnode:1.9.46
cpe:/a:leafnode:leafnode:1.9.53
cpe:/a:leafnode:leafnode:1.9.27
cpe:/a:leafnode:leafnode:1.9.36
cpe:/a:leafnode:leafnode:1.9.39
cpe:/a:leafnode:leafnode:1.9.48
cpe:/a:leafnode:leafnode:1.9.20

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1911
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1911
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200506-068
(官方数据源) CNNVD

- 其它链接及资源

http://leafnode.sourceforge.net/leafnode-SA-2005-02.txt
(VENDOR_ADVISORY)  CONFIRM  http://leafnode.sourceforge.net/leafnode-SA-2005-02.txt

- 漏洞信息

Leafnode 拒绝服务攻击漏洞
中危 其他
2005-06-09 00:00:00 2005-10-20 00:00:00
远程  
        leafnode 1.11.2及早期版本中的fetchnews NNTP客户端软件在等待的输入无法到达时,将应用程序挂起,这样远程NNTP服务器就可触发拒绝服务攻击(新闻丢失)。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        Leafnode Leafnode 1.11.1
        Leafnode leafnode-1.11.2.rel.tar.bz2
        http://sourceforge.net/project/showfiles.php?group_id=57767&package_id =53446&release_id=325112
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.11.2
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.19
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.20
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.21
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.22
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.23
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.24
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.25
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.26
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.27
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.29
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.30
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.31
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.35
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.36
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.37
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.38
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.39
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.40
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.41
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.42
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.43
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.45
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.47
        Leafnode leafnode-1.11.3.rel.tar.bz2
        http://prdownloads.sourceforge.net/leafnode/leafnode-1.11.3.rel.tar.bz 2?download
        Leafnode Leafnode 1.9.48
        Leafnode leafnode-1.11.2.rel.tar.bz2
        http://sourceforge.net/project/showfiles.php?group_id=57767&package_id =53446&release_id=325112
        Leafnode leafnode

- 漏洞信息 (F38137)

leafnode-SA-2005-02.txt (PacketStormID:F38137)
2005-06-20 00:00:00
Adam Funk  
advisory,denial of service
CVE-2005-1911
[点击下载]

Leafnode versions 1.11.2 and below are susceptible to a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

leafnode-SA-2005:02.fetchnews-hangs-on-header

Topic:		potential denial of service in leafnode

Announcement:	leafnode-SA-2005:02
Author:		Matthias Andree
Version:	1.00
Announced:	2005-06-08
Category:	main
Type:		potential denial of service
Impact:		fetchnews hangs, no new fetchnews/texpire processes
		can be started
Credits:	Adam Funk (bug report)
Danger:		medium:
		- no build-up of memory consumption
		- no privilege escalation through this bug
		- malicious upstream server can be unlisted
CVE Name:	CAN-2005-1911
URL:		http://leafnode.sourceforge.net/leafnode-SA-2005-02.txt
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1911

Affects:	leafnode versions up to and including 1.11.2

Not affected:	leafnode 1.11.3

Default install: affected.

Corrected:	2005-06-08 14:06 UTC (CVS) - committed corrected version
		2005-06-08                   leafnode 1.11.3 released

0. Release history

2005-06-08	1.00 initial announcement

1. Background

leafnode is a store-and-forward proxy for Usenet news, is uses the
network news transfer protocol (NNTP). It consists of several
collaborating programs, the server part is usually started by inetd,
xinetd or tcpserver, the client part is usually started by cron,
a PPP post-connect script or manually.

This security announcement pertains to leafnode-1, the stable branch.

The leafnode-2 development branch is not subject to security announcements.

2. Problem description

A vulnerability was found in the fetchnews program (the NNTP client) that
may under some circumstances cause a wait for input that never arrives,
fetchnews "hangs". This hang does not cost CPU.

3. Impact

As only one fetchnews program can run at a time, subsequently started
fetchnews and texpire programs will terminate. This means that the news
database will no longer be updated, older articles will no longer
expire, until the hanging fetchnews process gets unstuck, usually
through a manual "kill" command or a reboot.

4. Workaround

Comment out all configuration pertaining to the malicious server.

Note that this is not a full solution as transient network errors can
also cause delays in querying other network servers, and it requires
manual intervention to find out which server is malicious.

5. Solution

Upgrade your leafnode package to version 1.11.3.
leafnode 1.11.3 is available from SourceForge:
<http://sourceforge.net/project/showfiles.php?group_id=57767>

Leafnode 1.X versions are deemed stable, and it is usually best to go
for the latest released 1.X version to have all the other bug fixes as
well.

A. References

leafnode home page: <http://leafnode.sourceforge.net/>

B. Copyright and License

(C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.

This work is licensed under the Creative Commons
Attribution-NonCommercial-NoDerivs German License. To view a copy of
this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
or send a letter to Creative Commons; 559 Nathan Abbott Way;
Stanford, California 94305; USA.

END OF leafnode-SA-2005:02.fetchnews-hangs-on-header
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCp2h7vmGDOQUufZURAmyFAJ472k0A3odOSlKIUjagJaqc2XBWhwCfbQ0S
UCZhYWxLaknqCqGH7JKrywU=
=Bg9q
-----END PGP SIGNATURE-----
    

- 漏洞信息

17295
leafnode Multiple fetchnews/texpire Instance DoS
Remote / Network Access Denial of Service
Loss of Availability Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2005-06-08 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.11.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Leafnode FetchFews Client Article Header Timeout Remote Denial of Service Vulnerability
Failure to Handle Exceptional Conditions 13901
Yes No
2005-06-08 12:00:00 2009-07-12 02:56:00
The vendor announced this issue.

- 受影响的程序版本

Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
Leafnode Leafnode 1.11.2
Leafnode Leafnode 1.11.1
Leafnode Leafnode 1.9.50
Leafnode Leafnode 1.9.49
Leafnode Leafnode 1.9.48
Leafnode Leafnode 1.9.47
Leafnode Leafnode 1.9.45
Leafnode Leafnode 1.9.43
Leafnode Leafnode 1.9.42
Leafnode Leafnode 1.9.41
Leafnode Leafnode 1.9.40
Leafnode Leafnode 1.9.39
Leafnode Leafnode 1.9.38
Leafnode Leafnode 1.9.37
Leafnode Leafnode 1.9.36
Leafnode Leafnode 1.9.35
Leafnode Leafnode 1.9.31
Leafnode Leafnode 1.9.30
Leafnode Leafnode 1.9.29
Leafnode Leafnode 1.9.27
Leafnode Leafnode 1.9.26
Leafnode Leafnode 1.9.25
Leafnode Leafnode 1.9.24
+ Mandriva Linux Mandrake 9.0
Leafnode Leafnode 1.9.23
Leafnode Leafnode 1.9.22
Leafnode Leafnode 1.9.21
Leafnode Leafnode 1.9.20
Leafnode Leafnode 1.9.19
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
Leafnode Leafnode 1.11.3
Leafnode Leafnode 1.11.2

- 不受影响的程序版本

Leafnode Leafnode 1.11.3
Leafnode Leafnode 1.11.2

- 漏洞讨论

Leafnode fetchnews is susceptible to a remote denial of service vulnerability. This issue is due to a failure of the application to properly handle network delays.

Successful exploitation of this issue may cause the fetchnews software to hang, and then to fail to query other news servers that are listed after the malicious news server in the fetchnews configuration file.

This vulnerability affects Leafnode versions prior to 1.11.3.

- 漏洞利用

No exploit is required.

- 解决方案

The vendor has released leafnode version 1.11.3, as well as an advisory to address this issue. Users are advised to upgrade to the fixed version. Please see the referenced advisory for further information.

Mandriva has released security announcement MDKSA-2005:114 addressing this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates.


Leafnode Leafnode 1.11.1

Leafnode Leafnode 1.11.2

Leafnode Leafnode 1.9.19

Leafnode Leafnode 1.9.20

Leafnode Leafnode 1.9.21

Leafnode Leafnode 1.9.22

Leafnode Leafnode 1.9.23

Leafnode Leafnode 1.9.24

Leafnode Leafnode 1.9.25

Leafnode Leafnode 1.9.26

Leafnode Leafnode 1.9.27

Leafnode Leafnode 1.9.29

Leafnode Leafnode 1.9.30

Leafnode Leafnode 1.9.31

Leafnode Leafnode 1.9.35

Leafnode Leafnode 1.9.36

Leafnode Leafnode 1.9.37

Leafnode Leafnode 1.9.38

Leafnode Leafnode 1.9.39

Leafnode Leafnode 1.9.40

Leafnode Leafnode 1.9.41

Leafnode Leafnode 1.9.42

Leafnode Leafnode 1.9.43

Leafnode Leafnode 1.9.45

Leafnode Leafnode 1.9.47

Leafnode Leafnode 1.9.48

Leafnode Leafnode 1.9.49

Leafnode Leafnode 1.9.50

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站