[Health-security] Tryton get_login remote denial of service vulnerabilit

health-security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Health-security] Tryton get_login remote denial of service vulnerabilit

From:	Luis Falcon
Subject:	[Health-security] Tryton get_login remote denial of service vulnerability
Date:	Tue, 22 Mar 2016 22:27:40 +0000

===============================================================================
GNUHEALTH-SA-2016-1.tryton                            Security Advisory 
                                                      Health project

Topic:          get_login remote denial of service vulnerability

Component:      Tryton
Released:       2016-03-22
Credits:        Luis Falcon
Affects:        GNU Health 2.8, 3.0

You can get the latest status of this and other advisories at

https://ftp.gnu.org/gnu/health/security/security_advisories.html


I.   Background

Tryton is an application framework used by GNU Health. Tryton uses a
database table to log the failed login attempts. The number of failed
attempts is used to increase the timeout on the next login session.


II.  Problem Description

Each login attempt involves unprivileged database operations (read,
create or delete). Both existing and non-existing accounts attempts are
stored in the database. Moreover, the non-existing users are not
removed from the table.

III. Impact

An attacker can flood the database engine with random, non-existing
accounts login attempts, leading to resource exhaustion / denial of
service.

IV.  Workaround

No workaround is available

V.   Solution

Install the patch either using gnuhealth-control or applying it directly

a) Update via gnuhealth-control ( gnuhealth-control version 3.0.3 or
later ) 

    Login as gnuhealth user
    
    $ su - gnuhealth

    Stop the GNU Health server
    
    Make sure you have gnuhealth-control version 3.0.3 or later.

    $ gnuhealth-control version
    
    Check the status of your current version

    $ gnuhealth-control update --dry-run 

    Apply the updates
    
    $ gnuhealth-control update
    
    Reload the GNU Health environment
    
    $ source $HOME/.gnuhealthrc

    Restart the server
    

b)  Apply the patch directly ( GNU Health < 3.0 or if there were 
    problems using gnuhealth-control)

    Login as gnuhealth user

    $ su - gnuhealth 
    
    Stop the GNU Health server
    
    Download the patch
    
    $ wget 
https://ftp.gnu.org/gnu/health/security/GNUHEALTH-SA-2016-1.tryton.patch.asc

    $ cd $HOME/gnuhealth/tryton/server/trytond-${TRYTON_VERSION}/trytond/res 

    Check that the patch status or eligibility

    $ patch --dry-run -N -p1 < $HOME/GNUHEALTH-SA-2016-1.tryton.patch.asc 

    If everything went well, apply the patch 
    
    $ patch -p1 < $HOME/GNUHEALTH-SA-2016-1.tryton.patch.asc

    Restart the server

########################################################################

pgpkgCny1eCFw.pgp
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Health-security] Tryton get_login remote denial of service vulnerability, Luis Falcon <=

Next by Date: [Health-security] Tryton server versions involved in vulnerability GNUHEALTH-SA-2016-1.tryton
Next by thread: [Health-security] Tryton server versions involved in vulnerability GNUHEALTH-SA-2016-1.tryton
Index(es):
- Date
- Thread