Archive for February, 2014

ConfigServer Firewall (CSF) – Log Forging (SSH Login) Vulnerability (R911-0120)

Sunday, February 2nd, 2014

Type: Log Forging
Location: Local
Impact: Low
Product: ConfigServer Firewall (CSF)
Website: http://configserver.com/cp/csf.html
Vulnerable Version: 6.40
Fixed Version: 6.42 (See Notes Below!)
CVE: -
R911: 0120
Date: 2014-02-02
By: Rack911

Product Description:

ConfigServer Firewall (CSF) is a a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.

Vulnerability Description:

It is possible for a malicious user to create forged log entries to trick the Login Failure Daemon into believing that a user has logged into the server via SSH or other services being monitored. This is more of a nuisance exploit than anything else, but could be used to create confusion and concern for administrators.

Impact:

We have deemed this vulnerability to be rated as LOW due to the fact that only nuisance (forged) alerts can be generated.

Vulnerable Version:

This vulnerability was tested against ConfigServer Firewall (CSF) 6.40 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

ConfigServer Firewall (CSF) implemented a bunch of options in v6.41 and v6.42 to help mitigate against this attack. Please read the following change log to fully understand the options available:

http://www.configserver.com/free/csf/changelog.txt

Vendor Contact Timeline:

2014-01-26: Vendor contacted via email.
2014-01-26: Vendor confirms vulnerability.
2014-01-29: Vendor issues update v6.41.
2014-02-02: Vendor issues update v6.42.
2014-02-02: Rack911 issues security advisory.

ConfigServer Firewall (CSF) – Log Forging (Deny IP) Vulnerability (R911-0119)

Sunday, February 2nd, 2014

Type: Log Forging
Location: Local
Impact: High
Product: ConfigServer Firewall (CSF)
Website: http://configserver.com/cp/csf.html
Vulnerable Version: 6.40
Fixed Version: 6.42 (See Notes Below!)
CVE: -
R911: 0119
Date: 2014-02-02
By: Rack911

Product Description:

ConfigServer Firewall (CSF) is a a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.

Vulnerability Description:

It is possible for a malicious user to create forged log entries to trick the Login Failure Daemon feature into believing that an IP address is attempting to brute force the server which will then block the IP address in question. Blocking the administrators, other users, other servers and creating a DoS against the server is possible with this attack.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any user, including administrators, can have their IP’s blocked.

Vulnerable Version:

This vulnerability was tested against ConfigServer Firewall (CSF) 6.40 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

ConfigServer Firewall (CSF) implemented a bunch of options in v6.41 and v6.42 to help mitigate against this attack. Please read the following change log to fully understand the options available:

http://www.configserver.com/free/csf/changelog.txt

Vendor Contact Timeline:

2014-01-26: Vendor contacted via email.
2014-01-26: Vendor confirms vulnerability.
2014-01-29: Vendor issues update v6.41.
2014-02-02: Vendor issues update v6.42.
2014-02-02: Rack911 issues security advisory.