Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3297
HistoryJul 31, 2002 - 12:00 a.m.

HylaFAX - Various Vulnerabilities Fixed

2002-07-3100:00:00
vulners.com
7
JSON

HylaFAX.org Security Advisory
17 June 2002

Subject: Various Vulnerabilities Fixed

Introduction:

HylaFAX is a mature (est. 1991) enterprise-class open-source software
package for sending and receiving facsimiles as well as for sending
alpha-numeric pages. It runs on a wide variety of UNIX-like platforms
including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX,
AIX, and HP-UX. See http://www.hylafax.org

HylaFAX.org has hosted, distributed, and directed HylaFAX software
development since 1997.

iFax Solutions is the commercial support arm of HylaFAX.org and provides
single-incident or annual support contracts as well as other commercial
support options. See http://www.hylafax.org/support.html

Problem Description and Impact:

iFax Solutions recently discovered that HylaFAX faxgetty in versions prior
to 4.1.3 does not check the TSI string which is received from the remote
facsimile system before it uses it in logging and elsewhere. However,
reception protocol limits the length of the TSI string to twenty
characters. Consequently, a remote sender with a specially-formatted TSI
string can cause faxgetty to segmentation fault, and although it is
unlikely that this could be used to execute arbitrary commands, it does
expose an easily exploitable denial of service vulnerability.

Development discussion to eliminate this vulnerability is available at:
http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=300

Christer Oberg reported on Bugtraq in September 2001 that HylaFAX faxrm
and faxalter had format strings vulnerabilities (see
http://www.securityfocus.com/archive/1/215984).
HylaFAX development found this vulnerability to be applicable to all
executables in versions prior to 4.1.3 which accept the "-h host" option
because the mentioned user input was not checked before sending an error
message to standard error/output. These binaries include faxalter, faxrm,
faxstat, sendfax, sendpage, and faxwatch. In distributions such as
FreeBSD which independently made any of these binaries set-uid (not the
HylaFAX default), an attacker could use these vulnerabilites to gain
elevated system privileges.

Development discussion to eliminate these vulnerabilities is available at:
http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=202

CAN-2001-1034 was assigned to this vulnerability. See
http://www.securityfocus.com/bid/3357 for details.

In recent testing, Lee Howard discovered that faxgetty would segfault due
to a buffer overflow after receiving a very large line of image data.
Potentially, this vulnerability could allow an attacker to maliciously
craft an exploiting faxsend mechanism to call a vulnerable host,
conceivably using the buffer overflow to execute arbitrary commands on the
host system. Since on most installations faxgetty is run as root, such an
exploitation would allow the abuse of root permissions. This
vulnerability could more easily be abused for denial of service purposes.

Development discussion to eliminate this vulnerability is available at:
http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=312

Status:

HylaFAX development has corrected all of the vulnerabilities described
here as well as provided numerous other bugfixes and enhancements in its
recent 4.1.3 patchlevel code release. All users are strongly encouraged
to upgrade. See http://www.hylafax.org/download.html to obtain 4.1.3
source code.

For users who are somehow unable to upgrade, HylaFAX CVS-based patches are
available for these vulnerabilities individually at
http://bugs.hylafax.org/bugzilla/attachment.cgi?id=290&action=view,
http://bugs.hylafax.org/bugzilla/attachment.cgi?id=300&action=view, and
http://bugs.hylafax.org/bugzilla/attachment.cgi?id=318&action=view
respectively.

There are no known exploits for any of the described vulnerabilities
beyond what is stated above.

Thanks:

Special thanks goes to iFax Solutions and Christer Oberg for pointing out
these vulnerabilities to HylaFAX development. Many thanks also go to
Vyacheslav Frolov and Patrice Fournier for their development work in
providing these patches.


Lee Howard
HylaFAX Support Engineer
iFax Solutions, Inc.
[email protected]

Related

debian 2
cve 1
openvas 2
debiancve 1
nessus 2
osv 1
debian
debian
[SECURITY] [DSA 148-1] New hylafax packages fix security related problems
2002-08-12 07:53:13
[SECURITY] [DSA 148-1] New hylafax packages fix security related problems
2002-08-12 07:53:13
cve
cve
CVE-2001-1034
2001-09-23 04:00:00
openvas
openvas
Debian Security Advisory DSA 148-1 (hylafax)
2008-01-17 00:00:00
Debian Security Advisory DSA 148-1 (hylafax)
2008-01-17 00:00:00
debiancve
debiancve
CVE-2001-1034
2001-09-23 04:00:00
nessus
nessus
Mandrake Linux Security Advisory : hylafax (MDKSA-2002:055)
2004-07-31 00:00:00
Debian DSA-148-1 : hylafax - buffer overflows and format string vulnerabilities
2004-09-29 00:00:00
osv
osv
hylafax - buffer overflows and format string vulnerabilities
2002-08-12 00:00:00
JSON
Related for SECURITYVULNS:DOC:3297
debian2cve1openvas2debiancve1nessus2osv1