Package: hylafax-server Version: 1:4.2.0-9 Severity: important
Problem Description and Impact: HylaFAX hfaxd authenticates users against the hosts.hfaxd database. The first field of a hosts.hfaxd database entry (the "client") has a syntax of "[EMAIL PROTECTED]" where "username" is supplied during the hfaxd protocol exchange, and "hostname" is the official host name or the dotted IP address. Regular expressions are used to match usernames, hostnames, and addresses. By tradition, if the entry does not have the "@" in it, then the entry field is understood to be the full hostname or full dotted IP address - authenticating any user from the specified host. The problem is that hfaxd always authenticates against the hosts.hfaxd entry by comparing the string "[EMAIL PROTECTED]" with the client field, irrespective of the formatting of the hosts.hfaxd client field. If there is a match (regex) between the string and the client field and no password is required (a subsequent entry field), then the login succeeds. Thus, if an attacker can guess hosts.hfaxd entries that do not contain passwords (and most HylaFAX installations will likely contain "localhost" and "127.0.0.1"), then hfaxd will authenticate the attacker's login attempts if the attacker merely uses a username or configures their hostname to match the hosts.hfaxd entry. Because hfaxd did not verify that hostnames outside of the local domain matched their resolved addresses before trusting them, "localhost" entries are therefore particularly vulnerable to "DNS spoofing". All HylaFAX versions as far back as 4.0pl0 (1996) are vulnerable to unauthorized remote access of HylaFAX services when there are hosts.hfaxd entries without passwords. HylaFAX installations are likely to have hosts.hfaxd entries without passwords, as it is the default. This vulnerability has been assigned CAN-2004-1182. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.7-1-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages hylafax-server depends on: ii debconf 1.4.30.11 Debian configuration management sy ii gs 8.01-5 Transitional package ii gs-gpl [gs] 8.01-5 The GPL Ghostscript PostScript int di hylafax-client 1:4.2.0-9 Flexible client/server fax softwar ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libgcc1 1:3.4.3-6 GCC support library ii libpam0g 0.76-22 Pluggable Authentication Modules l ii libstdc++5 1:3.3.5-5 The GNU Standard C++ Library v3 hi libtiff-tools 3.6.1-3 TIFF manipulation and conversion t hi libtiff4 3.6.1-3 Tag Image File Format library ii mailx 1:8.1.2-0.20040524cvs-4 A simple mail user agent ii mime-codecs 7.19-2 Fast Quoted-Printable and BASE64 M ii psmisc 21.5-1 Utilities that use the proc filesy ii zlib1g 1:1.2.2-3 compression library - runtime -- debconf information: * hylafax-server/configure_note: hylafax-server/start_now: true -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]