Bug #2621
closedUpdate NUT due to CVE-2012-2944
0%
Description
NUT can be remotely crashed as of CVE-2012-2944
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2944
Any objections updating the binary package from FreeBSD ports?
2.2.2 is quite dated by now (2008), what about updating to the 2.6 branch - including much improved UPS support.
Updated by Jim Pingle over 12 years ago
No objections, but someone would need to check/test to ensure the config file is compatible and make any necessary changes.
Updated by Jim Pingle over 12 years ago
- Status changed from New to Feedback
Updated binaries, reinstalled, works fine for me with my APC Back-UPS ES 450. I imagine it should work for others also.
However now I recall why we were on the old version. Versions of nut after 2.2.x no longer support internal network access restrictions. Instead they now rely on changing the interface binding and firewall rules.
When the new package code goes up here momentarily, any existing ACLs will break, and it will only bind to localhost.
The user can add a port forward from TCP port 3493 to localhost:3493 and regain access.
Also because the users can't be restricted by host any more, I changed the local status user to use a (somewhat) randomly generated password rather than "mypass" or else someone could have logged in with that (now global) user remotely if a NAT rule was added.
I went forward with the change anyhow due to the CVE.
Updated by Mathieu Simon over 12 years ago
Awesome Jim - I try to catch all of your explanations :-)
Let me know if you need a guinea pig, the box won't arrive that quick but I could verify against our test rig.
Updated by Jim Pingle over 12 years ago
I posted a HEADS UP message on the package forum.
http://forum.pfsense.org/index.php/topic,53308.0.html
Additional testing is always helpful. It Works For Me(tm) but I don't use it in a complex manner as some do.
Updated by Chris Buechler over 10 years ago
- Status changed from Feedback to Resolved