R-fx Networks

Tag: bfd

BFD 1.5-1 Update: Forged Syslog Data Vulnerability

by on Jan.29, 2014, under Development, My Blog

Current Release:
http://www.rfxn.com/downloads/bfd-current.tar.gz
http://www.rfxn.com/appdocs/README.bfd
http://www.rfxn.com/appdocs/CHANGELOG.bfd

An updated version of BFD 1.5 has been released, version 1.5-1, which addresses an address scoping issue in the event forged syslog data is encountered on the host system running BFD from a malicious local user or any other sources that may generate forged syslog data. In such situations, BFD can be manipulated to ban addresses that it would otherwise not validly be triggered to do so, with wide scoped CIDR notation at up to a /8.

The 1.5-1 release addresses this by ensuring that addresses BFD passes onto the BAN_COMMAND are fully qualified C class (/32 CIDR) addresses only, as opposed to any CIDR notation address.

Thanks goes to rack911.com for responsibly advising of this issue and awaiting the release of a fix prior to any public disclosure. The responsible disclosure practices of rack911.com are a statement to their professionalism as a managed services provider as well as their dedication to improving the security landscape of the web hosting industry at large.

Leave a Comment :, , , more...

BFD 1.4: Important Security Fix

by on May.08, 2010, under Development

Today I have put up a new release of BFD, version 1.4, that addresses an unsanitized variable issue that is used on the command line. This is a serious issue and should be treated as such, if you currently have BFD installed I would encourage you to update it immediately, the install.sh script in the BFD package will retain all your options and tracking data so the update process is painless.

Current Release:
http://www.rfxn.com/downloads/bfd-current.tar.gz

Change Log:
[Fix] properly sanitized vars passed to the command line
[Fix] ignore.hosts is now updated with system addresses on each bfd run
[Note] thanks to jpetersen@webhostsecurity.com for invaluable input and pointers

wget http://www.rfxn.com/downloads/bfd-current.tar.gz
tar xvfz bfd-current.tar.gz
cd bfd-1.4/
./install.sh

Although this issue has many mitigating factors that lessen the severity of the potential impact it is nevertheless very serious and best to opt on the side of caution. I need to extend a special thanks to Jeff Petersen of webhostsecurity.com for identifying this issue in a very professional fashion and offering technical input.

5 Comments :, , , more...

Out with the old, In with the new!

by on May.06, 2010, under My Blog

The old theme was doing my head in, so I ditched it. Keep an eye out in the coming days/weeks for new releases of APF & BFD in addition to a few more howto entries and the release of maldetect with a ATF stats landing page.

1 Comment :, , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...