An updated version of BFD 1.5 has been released, version 1.5-1, which addresses an address scoping issue in the event forged syslog data is encountered on the host system running BFD from a malicious local user or any other sources that may generate forged syslog data. In such situations, BFD can be manipulated to ban addresses that it would otherwise not validly be triggered to do so, with wide scoped CIDR notation at up to a /8.
The 1.5-1 release addresses this by ensuring that addresses BFD passes onto the BAN_COMMAND are fully qualified C class (/32 CIDR) addresses only, as opposed to any CIDR notation address.
Thanks goes to rack911.com for responsibly advising of this issue and awaiting the release of a fix prior to any public disclosure. The responsible disclosure practices of rack911.com are a statement to their professionalism as a managed services provider as well as their dedication to improving the security landscape of the web hosting industry at large.
Today I have put up a new release of BFD, version 1.4, that addresses an unsanitized variable issue that is used on the command line. This is a serious issue and should be treated as such, if you currently have BFD installed I would encourage you to update it immediately, the install.sh script in the BFD package will retain all your options and tracking data so the update process is painless.
[Fix] properly sanitized vars passed to the command line
[Fix] ignore.hosts is now updated with system addresses on each bfd run
[Note] thanks to [email protected] for invaluable input and pointers
tar xvfz bfd-current.tar.gz
Although this issue has many mitigating factors that lessen the severity of the potential impact it is nevertheless very serious and best to opt on the side of caution. I need to extend a special thanks to Jeff Petersen of webhostsecurity.com for identifying this issue in a very professional fashion and offering technical input.
The old theme was doing my head in, so I ditched it. Keep an eye out in the coming days/weeks for new releases of APF & BFD in addition to a few more howto entries and the release of maldetect with a ATF stats landing page.