CVE-2005-3118
CVSS7.5
发布时间 :2005-10-06 15:02:00
修订时间 :2011-03-07 21:25:50
NMCOPS    

[原文]Mason before 1.0.0 does not install the init script after the user uses Mason to configure a firewall, which causes the system to run without a firewall after a reboot.


[CNNVD]Debian Linux Mason Init.d防火墙加载失败漏洞(CNNVD-200510-052)

        Mason 扩展是一个应用于Firefox的扩展,工作原理是监视和修改Http通讯协议的头信息,以实现众多功能。
        Mason 1.0.0之前版本在用户使用Mason配置防火墙后没有安装init脚本,使系统重新启动后在没有防火墙的状态下运行。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3118
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3118
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200510-052
(官方数据源) CNNVD

- 其它链接及资源

http://secunia.com/advisories/17084
(VENDOR_ADVISORY)  SECUNIA  17084
http://www.vupen.com/english/advisories/2005/1976
(UNKNOWN)  VUPEN  ADV-2005-1976
http://www.debian.org/security/2005/dsa-845
(UNKNOWN)  DEBIAN  DSA-845
http://www.securityfocus.com/bid/15019
(UNKNOWN)  BID  15019
http://www.osvdb.org/19875
(UNKNOWN)  OSVDB  19875

- 漏洞信息

Debian Linux Mason Init.d防火墙加载失败漏洞
高危 配置错误
2005-10-06 00:00:00 2005-10-20 00:00:00
远程  
        Mason 扩展是一个应用于Firefox的扩展,工作原理是监视和修改Http通讯协议的头信息,以实现众多功能。
        Mason 1.0.0之前版本在用户使用Mason配置防火墙后没有安装init脚本,使系统重新启动后在没有防火墙的状态下运行。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        Debian mason 0.13 .92
        Debian mason_1.0.0-2.2_all.deb
        http://security.debian.org/pool/updates/main/m/mason/mason_1.0.0-2.2_all.deb

- 漏洞信息 (F40478)

Debian Linux Security Advisory 845-1 (PacketStormID:F40478)
2005-10-07 00:00:00
Debian  security.debian.org
advisory
linux,debian
CVE-2005-3118
[点击下载]

Debian Security Advisory DSA 845-1 - Christoph Martin noticed that upon configuration mason, which interactively creates a Linux packet filtering firewall, does not install the init script to actually load the firewall during system boot. This will leave the machine without a firewall after a reboot.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 845-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 6th, 2005                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : mason
Vulnerability  : programming error
Problem type   : remote
Debian-specific: yes
CVE ID         : CAN-2005-3118
Debian Bug     : 222384

Christoph Martin noticed that upon configuration mason, which
interactively creates a Linux packet filtering firewall, does not
install the init script to actually load the firewall during system
boot.  This will leave the machine without a firewall after a reboot.

For the old stable distribution (woody) this problem has been fixed in
version 0.13.0.92-2woody1.

For the stable distribution (sarge) this problem has been fixed in
version 1.0.0-2.2.

For the unstable distribution (sid) this problem has been fixed in
version 1.0.0-3.

We recommend that you upgrade your mason package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/m/mason/mason_0.13.0.92-2woody1.dsc
      Size/MD5 checksum:      541 ecb992ca78a35ca58a14eeab6cf4f15c
    http://security.debian.org/pool/updates/main/m/mason/mason_0.13.0.92-2woody1.diff.gz
      Size/MD5 checksum:     3659 222ab145878984b9e181eea0046b6526
    http://security.debian.org/pool/updates/main/m/mason/mason_0.13.0.92.orig.tar.gz
      Size/MD5 checksum:   218789 e1de238f5adc99bdbd519c92513f96b4

  Architecture independent components:

    http://security.debian.org/pool/updates/main/m/mason/mason_0.13.0.92-2woody1_all.deb
      Size/MD5 checksum:   184824 e32b3597c9bbf77624e205a6c4a8fdd2


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/m/mason/mason_1.0.0-2.2.dsc
      Size/MD5 checksum:      593 e899d7d2eeee90bdf85b37053613e0b4
    http://security.debian.org/pool/updates/main/m/mason/mason_1.0.0-2.2.diff.gz
      Size/MD5 checksum:    47013 0a8b604f753b008eaf3a5f2cca030023
    http://security.debian.org/pool/updates/main/m/mason/mason_1.0.0.orig.tar.gz
      Size/MD5 checksum:   506940 62785d59e03df309fed8abe97e479af0

  Architecture independent components:

    http://security.debian.org/pool/updates/main/m/mason/mason_1.0.0-2.2_all.deb
      Size/MD5 checksum:   423220 cc8e8f0ed22d2efdbb0e9d0e4cd61d8e


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDRNreW5ql+IAeqTIRAhRVAJ9ltyqfa6P3QJ7eEmxzn0bksaApWwCdFMl3
JSwzwaIcBgDffjALeodL1MQ=
=W0ha
-----END PGP SIGNATURE-----

    

- 漏洞信息

19875
Debian mason postinst Firewall Startup Failure
Local Access Required Misconfiguration
Loss of Integrity
Exploit Public

- 漏洞描述

mason contains a flaw that may leave a system without a firewall after a reboot. The issue is triggered when a user configures mason after the installation, resulting in a loss of integrity.

- 时间线

2005-10-06 Unknow
2005-10-06 Unknow

- 解决方案

Upgrade to version 1.0.0-3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Debian Linux Mason Init.d Firewall Loading Failure Vulnerability
Configuration Error 15019
Yes No
2005-10-06 12:00:00 2009-07-12 05:06:00
Christoph Martin is credited with the discovery of this vulnerability.

- 受影响的程序版本

Debian mason 0.13 .92
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian mason 0.13 .92-2

- 不受影响的程序版本

Debian mason 0.13 .92-2

- 漏洞讨论

The Debian Linux Mason package is prone to an issue that may cause the firewall not to load at system startup. A startup script is missing from the installation package which performs a required function.

A false sense of security is held by the application owner when the affected computer is restarted.

A remote attacker may exploit this configuration error by connecting to ports that would otherwise be remotely unavailable.

- 漏洞利用

No exploit is required.

- 解决方案

Debian has released an update to address this vulnerability; please the the referenced advisory for further details.


Debian mason 0.13 .92

Debian Linux 3.1

Debian Linux 3.1 ia-32

Debian Linux 3.1 ppc

Debian Linux 3.1 alpha

Debian Linux 3.1 m68k

Debian Linux 3.1 ia-64

Debian Linux 3.1 mipsel

Debian Linux 3.1 arm

Debian Linux 3.1 mips

Debian Linux 3.1 s/390

Debian Linux 3.1 amd64

Debian Linux 3.1 hppa

Debian Linux 3.1 sparc

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站