Project

General

Profile

Bug #2621

Update NUT due to CVE-2012-2944

Added by Mathieu Simon about 7 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
09/05/2012
Due date:
% Done:

0%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

NUT can be remotely crashed as of CVE-2012-2944
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2944

Any objections updating the binary package from FreeBSD ports?

2.2.2 is quite dated by now (2008), what about updating to the 2.6 branch - including much improved UPS support.

History

#1 Updated by Jim Pingle about 7 years ago

No objections, but someone would need to check/test to ensure the config file is compatible and make any necessary changes.

#2 Updated by Jim Pingle about 7 years ago

  • Status changed from New to Feedback

Updated binaries, reinstalled, works fine for me with my APC Back-UPS ES 450. I imagine it should work for others also.

However now I recall why we were on the old version. Versions of nut after 2.2.x no longer support internal network access restrictions. Instead they now rely on changing the interface binding and firewall rules.
When the new package code goes up here momentarily, any existing ACLs will break, and it will only bind to localhost.
The user can add a port forward from TCP port 3493 to localhost:3493 and regain access.
Also because the users can't be restricted by host any more, I changed the local status user to use a (somewhat) randomly generated password rather than "mypass" or else someone could have logged in with that (now global) user remotely if a NAT rule was added.

I went forward with the change anyhow due to the CVE.

#3 Updated by Mathieu Simon about 7 years ago

Awesome Jim - I try to catch all of your explanations :-)

Let me know if you need a guinea pig, the box won't arrive that quick but I could verify against our test rig.

#4 Updated by Mathieu Simon about 7 years ago

(the box that I'd need to use NUT)

#5 Updated by Jim Pingle about 7 years ago

I posted a HEADS UP message on the package forum.
http://forum.pfsense.org/index.php/topic,53308.0.html

Additional testing is always helpful. It Works For Me(tm) but I don't use it in a complex manner as some do.

#6 Updated by Chris Buechler over 5 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF