[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Health-security] Tryton get_login remote denial of service vulnerabilit
From: |
Luis Falcon |
Subject: |
[Health-security] Tryton get_login remote denial of service vulnerability |
Date: |
Tue, 22 Mar 2016 22:27:40 +0000 |
===============================================================================
GNUHEALTH-SA-2016-1.tryton Security Advisory
Health project
Topic: get_login remote denial of service vulnerability
Component: Tryton
Released: 2016-03-22
Credits: Luis Falcon
Affects: GNU Health 2.8, 3.0
You can get the latest status of this and other advisories at
https://ftp.gnu.org/gnu/health/security/security_advisories.html
I. Background
Tryton is an application framework used by GNU Health. Tryton uses a
database table to log the failed login attempts. The number of failed
attempts is used to increase the timeout on the next login session.
II. Problem Description
Each login attempt involves unprivileged database operations (read,
create or delete). Both existing and non-existing accounts attempts are
stored in the database. Moreover, the non-existing users are not
removed from the table.
III. Impact
An attacker can flood the database engine with random, non-existing
accounts login attempts, leading to resource exhaustion / denial of
service.
IV. Workaround
No workaround is available
V. Solution
Install the patch either using gnuhealth-control or applying it directly
a) Update via gnuhealth-control ( gnuhealth-control version 3.0.3 or
later )
Login as gnuhealth user
$ su - gnuhealth
Stop the GNU Health server
Make sure you have gnuhealth-control version 3.0.3 or later.
$ gnuhealth-control version
Check the status of your current version
$ gnuhealth-control update --dry-run
Apply the updates
$ gnuhealth-control update
Reload the GNU Health environment
$ source $HOME/.gnuhealthrc
Restart the server
b) Apply the patch directly ( GNU Health < 3.0 or if there were
problems using gnuhealth-control)
Login as gnuhealth user
$ su - gnuhealth
Stop the GNU Health server
Download the patch
$ wget
https://ftp.gnu.org/gnu/health/security/GNUHEALTH-SA-2016-1.tryton.patch.asc
$ cd $HOME/gnuhealth/tryton/server/trytond-${TRYTON_VERSION}/trytond/res
Check that the patch status or eligibility
$ patch --dry-run -N -p1 < $HOME/GNUHEALTH-SA-2016-1.tryton.patch.asc
If everything went well, apply the patch
$ patch -p1 < $HOME/GNUHEALTH-SA-2016-1.tryton.patch.asc
Restart the server
########################################################################
pgpkgCny1eCFw.pgp
Description: OpenPGP digital signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Health-security] Tryton get_login remote denial of service vulnerability,
Luis Falcon <=