You are here

T-646: Debian fex authentication bypass

June 14, 2011 - 3:45pm

Addthis

PROBLEM:

The vulnerability is caused due to the application not properly verifying the existence of "auth-ID" when uploading files and can be exploited to bypass the authentication mechanism.

PLATFORM:

Debian fex

ABSTRACT:

Debian security discovered that fex, a web service for transferring very large, files, is not properly validating authentication IDs. While the service properly validates existing authentication IDs, an attacker who is not specifying any authentication ID at all, can bypass the authentication procedure.

reference LINKS:

DSA-2259-1 fex
Secunia Advisory SA44940
Debian Security Advisory DSA-2259-1
fex-20110610.tar
Vulnerability Report: Debian GNU/Linux 6.0
CVE-2011-1409
Debian fex packages

IMPACT ASSESSMENT:

High

Discussion:

Debian has issued an update for fex. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions.

The oldstable distribution (lenny) does not include fex.
For the stable distribution (squeeze), this problem has been fixed in version 20100208+debian1-1+squeeze1.
For the testing distribution (wheezy), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in version 20110610-1.

Impact:

Debian has discovered that F*EX, a web service for transferring very large files, is not properly validating authentication IDs. While the service properly validates existing authentication IDs, an attacker who is not specifying any authentication ID at all can bypass the authentication procedure.

Solution:

Apply updated packages via the apt-get package manager.

Debian fex packages

 

Addthis