CVE-2010-0743
First published: Mon Mar 22 2010(Updated: )
A Debian bug report [1] reported two remotely exploitable format string vulnerabilities in iscsitarget. We do not provide iscsitarget, but similar code exists in scsi-target-utils (isns.c): rqs 0.3 ($Id: rqp 349 2010-03-19 23:05:04Z vdanen $) Searching database records for substring match on files ("/isns.c") Results in Tag: f11 iscsi-initiator-utils-6.2.0.870-8.fc11: (source) open-iscsi-2.0-870.1.tar.gz: open-iscsi-2.0-870.1/usr/isns.c scsi-target-utils-0.9.5-1.fc11: (source) tgt-0.9.5.tar.<a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED CURRENTRELEASE - broken links of default index.html" href="show_bug.cgi?id=2">bz2</a>: tgt-0.9.5/usr/iscsi/isns.c Results in Tag: f12 iscsi-initiator-utils-6.2.0.870-10.fc12.1: (source) open-iscsi-2.0-870.1.tar.gz: open-iscsi-2.0-870.1/usr/isns.c scsi-target-utils-0.9.5-3.fc12: (source) tgt-0.9.5.tar.<a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED CURRENTRELEASE - broken links of default index.html" href="show_bug.cgi?id=2">bz2</a>: tgt-0.9.5/usr/iscsi/isns.c Results in Tag: rhel5 iscsi-initiator-utils-6.2.0.871-0.10.el5: (source) open-iscsi-2.0-871-test4.bnx2i.tar.gz: open-iscsi-2.0-871-test4.bnx2i/usr/isns.c scsi-target-utils-0.0-5.20080917snap.el5: (source) tgt-20080917.tar.<a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED CURRENTRELEASE - broken links of default index.html" href="show_bug.cgi?id=2">bz2</a>: tgt-20080917/usr/iscsi/isns.c The problem is a few snprintf() statements that don't use format strings (there are 3 in total in this file in iscsitarget, only 1 of which is correct). Checking to see if the same issues are in the RHEL5 iscsi-initiator-utils yielded nothing (one correct use): % grep snprintf usr/isns.c snprintf(port, sizeof(port), "%d", isns_port); Unfortunately, this does affect scsi-target-utils: % grep snprintf usr/iscsi/isns.c snprintf(mgmt->name, sizeof(mgmt->name), name); snprintf(ini->name, sizeof(ini->name), name); snprintf(port, sizeof(port), "%d", isns_port); It is unclear to me whether this is remotely exploitable, but the Debian report implies that it is. With our format string protections, this would not result in arbitrary code execution, but in a denial of service (crash) condition. This also affects the version shipped with Fedora 12, so I presume Fedora 11 would be vulnerable to this as well. [1] <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=574935">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=574935</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/scsi-target-utils | <0:0.0-6.20091205snap.el5_5.2 | 0:0.0-6.20091205snap.el5_5.2 |
| Zaal Tgt | <=0.9.5 | |
| Zaal Tgt | =1.0.3 | |
| Iscsitarget Iscsitarget | =0.4.16 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://marc.info/?l=oss-security&m=127005132403189&w=2
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=574935
- http://www.securityfocus.com/bid/39127
- https://bugzilla.redhat.com/show_bug.cgi?id=576359
- http://secunia.com/advisories/39142
- http://secunia.com/advisories/39726
- http://www.debian.org/security/2010/dsa-2042
- http://www.vupen.com/english/advisories/2010/1786
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:131
- http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/57496
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11248
- http://git.kernel.org/?p=linux/kernel/git/tomo/tgt.git%3Ba=commit%3Bh=107d922706cd36f3bb79bcca9bc4678c32f22e59
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=402153&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=402153&action=edit
- http://git.kernel.org/?p=linux/kernel/git/tomo/tgt.git;a=commitdiff;h=107d922706cd36f3bb79bcca9bc4678c32f22e59
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=576359#c4
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=576359#c8
- https://rhn.redhat.com/errata/RHSA-2010-0362.html
- https://www.cve.org/CVERecord?id=CVE-2010-0743 https://nvd.nist.gov/vuln/detail/CVE-2010-0743
- https://access.redhat.com/errata/RHSA-2010:0362
- https://access.redhat.com/security/cve/CVE-2010-0743
- collector/nvd-historical
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/author
- agent/references
- agent/event
- agent/description
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2010-0743
- vendor/zaal
- canonical/zaal tgt
- version/zaal tgt/0.9.5
- version/zaal tgt/1.0.3
- vendor/iscsitarget
- canonical/iscsitarget iscsitarget
- version/iscsitarget iscsitarget/0.4.16
- package-manager/redhat