Vulnerabilities > CVE-2007-4321 - Remote Denial of Service vulnerability in Fail2Ban 0.8
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
fail2ban 0.8 and earlier does not properly parse sshd log files, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by logging in via ssh with a client protocol version identification containing an IP address string, a different vector than CVE-2006-6302.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Exploit-Db
description | Fail2ban 0.8 Remote Denial of Service Vulnerability. CVE-2007-4321. Dos exploit for linux platform |
id | EDB-ID:30430 |
last seen | 2016-02-03 |
modified | 2007-07-28 |
published | 2007-07-28 |
reporter | Daniel B. Cid |
source | https://www.exploit-db.com/download/30430/ |
title | Fail2ban <= 0.8 - Remote Denial of Service Vulnerability |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200707-13.NASL description The remote host is affected by the vulnerability described in GLSA-200707-13 (Fail2ban: Denial of Service) A vulnerability has been discovered in Fail2ban when parsing log files. Impact : A remote attacker could send specially crafted SSH login banners to the vulnerable host, which would prevent any ssh connection to the host and result in a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 25809 published 2007-07-30 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25809 title GLSA-200707-13 : Fail2ban: Denial of Service code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200707-13. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(25809); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:44"); script_cve_id("CVE-2007-4321"); script_xref(name:"GLSA", value:"200707-13"); script_name(english:"GLSA-200707-13 : Fail2ban: Denial of Service"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200707-13 (Fail2ban: Denial of Service) A vulnerability has been discovered in Fail2ban when parsing log files. Impact : A remote attacker could send specially crafted SSH login banners to the vulnerable host, which would prevent any ssh connection to the host and result in a Denial of Service. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"http://www.ossec.net/en/attacking-loganalysis.html#fail2ban" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200707-13" ); script_set_attribute( attribute:"solution", value: "All Fail2ban users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-analyzer/fail2ban-0.8.0-r1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:fail2ban"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/07/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/07/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-analyzer/fail2ban", unaffected:make_list("ge 0.8.0-r1"), vulnerable:make_list("lt 0.8.0-r1"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Fail2ban"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1456.NASL description Daniel B. Cid discovered that fail2ban, a tool to block IP addresses that cause login failures, is too liberal about parsing SSH log files, allowing an attacker to block any IP address. last seen 2020-06-01 modified 2020-06-02 plugin id 29903 published 2008-01-10 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/29903 title Debian DSA-1456-1 : fail2ban - programming error code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1456. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(29903); script_version("1.12"); script_cvs_date("Date: 2019/08/02 13:32:21"); script_cve_id("CVE-2007-4321"); script_xref(name:"DSA", value:"1456"); script_name(english:"Debian DSA-1456-1 : fail2ban - programming error"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Daniel B. Cid discovered that fail2ban, a tool to block IP addresses that cause login failures, is too liberal about parsing SSH log files, allowing an attacker to block any IP address." ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2008/dsa-1456" ); script_set_attribute( attribute:"solution", value: "Upgrade the fail2ban package. The old stable distribution (sarge) doesn't contain fail2ban. For the stable distribution (etch), this problem has been fixed in version 0.7.5-2etch1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:fail2ban"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2008/01/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/01/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"fail2ban", reference:"0.7.5-2etch1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://bugs.gentoo.org/show_bug.cgi?id=181214
- http://osvdb.org/42484
- http://secunia.com/advisories/23237
- http://secunia.com/advisories/28374
- http://security.gentoo.org/glsa/glsa-200707-13.xml
- http://www.debian.org/security/2008/dsa-1456
- http://www.ossec.net/en/attacking-loganalysis.html
- http://www.securityfocus.com/bid/25117