R-fx Networks BFD – Log Forging (Deny IP) Vulnerability (R911-0121)

Type: Log Forging
Location: Local
Impact: High
Product: R-fx Networks BFD
Website: https://www.rfxn.com
Vulnerable Version: 1.5
Fixed Version: 1.5-1
CVE: -
R911: 0121
Date: 2014-02-03
By: Rack911

Product Description:

BFD is a modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format.

Vulnerability Description:

Through the use of log forging, it is possible to trick BFD into blocking any IP range (E.g: 24.0.0.0/8) which could easily result in a malicious user creating a DoS against the server by blocking every single IPv4 address with minimal effort.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any user, including administrators, can have their IP’s blocked.

Vulnerable Version:

This vulnerability was tested against R-fx Networks BFD 1.5 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in R-fx Networks BFD 1.5-1, however, the ability to maliciously block a *single* IP address remains. Please read the following forum post for mitigation suggestions:

http://www.webhostingtalk.com/showthread.php?t=1344458

Vendor Contact Timeline:

2014-01-26: Vendor contacted via email.
2014-01-27: Vendor confirms vulnerability.
2014-01-29: Vendor issues update.
2014-02-03: Rack911 issues security advisory.