NetBSD Problem Report #11146

Received: (qmail 8089 invoked from network); 5 Oct 2000 18:48:53 -0000
Message-Id: <200010051848.LAA25369@nbwww.isc.org>
Date: Thu, 5 Oct 2000 11:48:53 -0700 (PDT)
From: eravin@panix.com
Reply-To: eravin@panix.com
To: gnats-bugs@gnats.netbsd.org
Subject: built-in TCP wrapper in inetd does not protect UDP or internal services
X-Send-Pr-Version: www-1.0

>Number:         11146
>Category:       security
>Synopsis:       built-in TCP wrapper in inetd does not protect UDP or internal services
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    security-officer
>State:          analyzed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Oct 05 18:49:00 +0000 2000
>Closed-Date:    
>Last-Modified:  Tue Feb 06 13:47:34 +0000 2007
>Originator:     Ed Ravin
>Release:        1.4.2
>Organization:
PANIX
>Environment:
NetBSD 1.4.2
>Description:
The man pages for hosts_access(5) and inetd(8) imply that the functionality
of TCP wrappers (i.e. tcpd) is built-in to inetd.  This is not completely
true:

* UDP services do not get screened via hosts_access
* internal services (like daytime, echo, chargen) are not screened either
* Logging (via "inetd -l") does not include connections to UDP or internal services.

Although screening UDP services via tcpd is not 100% effective (since
source address forgery is trivial and daemons started with "wait" will
linger and answer other requests without screening from tcpd), it is
better than nothing.


>How-To-Repeat:
On a test system, create /etc/hosts.deny with "ALL: ALL" and delete
/etc/hosts.allow.  Confirm that telnet and ftp are no longer permitted.

Add the "daytime" entry to /etc/inetd.conf if it is
not already there.  It will still be permitted to all comers.

Add a UDP service to /etc/inetd.conf.  It will still be permitted to
all comers.

Restart inetd with the "-l" option.  TCP connections are logged, but
UDP and internal connections are not.
>Fix:
inetd should either include the full capability of tcpd, or describe the
shortcomings in the inetd and hosts_options man pages.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->analyzed 
State-Changed-By: mrg 
State-Changed-When: Fri Apr 2 10:13:19 UTC 2004 
State-Changed-Why:  
inetd in -current has suggested documentation fixes.  UDP support is 
explicitly disabled and documented as not working.  internal services 
should be changed to work with hosts.allow, and logging should be 
added for udp & internal services as well. 
>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.