REDHAT-BUG-576359
First published: Tue Mar 23 2010(Updated: )
A Debian bug report [1] reported two remotely exploitable format string vulnerabilities in iscsitarget. We do not provide iscsitarget, but similar code exists in scsi-target-utils (isns.c): rqs 0.3 ($Id: rqp 349 2010-03-19 23:05:04Z vdanen $) Searching database records for substring match on files ("/isns.c") Results in Tag: f11 iscsi-initiator-utils-6.2.0.870-8.fc11: (source) open-iscsi-2.0-870.1.tar.gz: open-iscsi-2.0-870.1/usr/isns.c scsi-target-utils-0.9.5-1.fc11: (source) tgt-0.9.5.tar.<a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED CURRENTRELEASE - broken links of default index.html" href="show_bug.cgi?id=2">bz2</a>: tgt-0.9.5/usr/iscsi/isns.c Results in Tag: f12 iscsi-initiator-utils-6.2.0.870-10.fc12.1: (source) open-iscsi-2.0-870.1.tar.gz: open-iscsi-2.0-870.1/usr/isns.c scsi-target-utils-0.9.5-3.fc12: (source) tgt-0.9.5.tar.<a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED CURRENTRELEASE - broken links of default index.html" href="show_bug.cgi?id=2">bz2</a>: tgt-0.9.5/usr/iscsi/isns.c Results in Tag: rhel5 iscsi-initiator-utils-6.2.0.871-0.10.el5: (source) open-iscsi-2.0-871-test4.bnx2i.tar.gz: open-iscsi-2.0-871-test4.bnx2i/usr/isns.c scsi-target-utils-0.0-5.20080917snap.el5: (source) tgt-20080917.tar.<a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED CURRENTRELEASE - broken links of default index.html" href="show_bug.cgi?id=2">bz2</a>: tgt-20080917/usr/iscsi/isns.c The problem is a few snprintf() statements that don't use format strings (there are 3 in total in this file in iscsitarget, only 1 of which is correct). Checking to see if the same issues are in the RHEL5 iscsi-initiator-utils yielded nothing (one correct use): % grep snprintf usr/isns.c snprintf(port, sizeof(port), "%d", isns_port); Unfortunately, this does affect scsi-target-utils: % grep snprintf usr/iscsi/isns.c snprintf(mgmt->name, sizeof(mgmt->name), name); snprintf(ini->name, sizeof(ini->name), name); snprintf(port, sizeof(port), "%d", isns_port); It is unclear to me whether this is remotely exploitable, but the Debian report implies that it is. With our format string protections, this would not result in arbitrary code execution, but in a denial of service (crash) condition. This also affects the version shipped with Fedora 12, so I presume Fedora 11 would be vulnerable to this as well. [1] <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=574935">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=574935</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fedora iSCSI Initiator Utilities | >=6.2.0.870-8.fc11<6.2.0.870-10.fc12.1 | |
| scsi-target-utils | >=0.9.5-1.fc11<0.9.5-3.fc12 | |
| CentOS iSCSI Initiator Utilities | ||
| scsi-target-utils |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=574935
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=402153&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=402153&action=edit
- http://git.kernel.org/?p=linux/kernel/git/tomo/tgt.git;a=commitdiff;h=107d922706cd36f3bb79bcca9bc4678c32f22e59
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=576359#c4
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=576359#c8
- https://rhn.redhat.com/errata/RHSA-2010-0362.html
- https://bugzilla.redhat.com/show_bug.cgi?id=576359
Frequently Asked Questions
What is the severity of REDHAT-BUG-576359?
The severity of REDHAT-BUG-576359 is considered high due to the presence of remotely exploitable format string vulnerabilities.
How do I fix REDHAT-BUG-576359?
To fix REDHAT-BUG-576359, upgrade to the patched versions of the affected software, such as the latest release of scsi-target-utils.
Which software is affected by REDHAT-BUG-576359?
REDHAT-BUG-576359 affects scsi-target-utils and iscsi-initiator-utils from both Fedora and Red Hat.
Can REDHAT-BUG-576359 be exploited remotely?
Yes, REDHAT-BUG-576359 can be exploited remotely due to its format string vulnerabilities.
What are format string vulnerabilities in the context of REDHAT-BUG-576359?
Format string vulnerabilities occur when user input is improperly handled, allowing attackers to manipulate memory and execute arbitrary code.
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2010-0743
- agent/references
- agent/severity
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/fedora
- canonical/fedora iscsi initiator utilities
- canonical/scsi-target-utils
- vendor/red hat
- canonical/centos iscsi initiator utilities