Date: Mon, 11 Mar 2002 13:38:20 +0100 (CET) From: <martin.kraemer@Fujitsu-Siemens.com> To: FreeBSD-gnats-submit@freebsd.org, martin.kraemer@Fujitsu-Siemens.com Subject: misc/35774: [SECURITY] Suboptimal auditing possibilities for network access Message-ID: <200203111238.g2BCcKD49193@deejai2.mch.fsc.net>
next in thread | raw e-mail | index | archive | help
>Number: 35774
>Category: misc
>Synopsis: [SECURITY] Suboptimal auditing possibilities for network access
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon Mar 11 04:40:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:
>Release: FreeBSD 4.5-STABLE i386
>Organization:
Fujitsu-Siemens
>Environment:
System: FreeBSD deejai2.mch.fsc.net 4.5-STABLE FreeBSD 4.5-STABLE #6: Thu Jan 31 21:40:04 CET 2002 martin@deejai2.mch.fsc.net:/usr/src/sys/compile/DEEJAI4B i386
>Description:
When logging in from a remote machine, the IP address of which
is not in the DNS, a utmp/wtmp entry is created with a
ut_host/ll_host hostname of the IPv4 address preceded by ::ffff:
(IPv6 syntax for mapped addresses). Because of the very small
size of the hostname field (historic: UT_HOSTSIZE 16), the IP address
gets truncated. The resulting "last" output...
(user ttyp5 ::ffff:172.25.18 Mon Mar 11 09:20 still logged in)
hides the most important information (from WHICH machine in the
subnet 172.25.18*.* did the login occur?).
>How-To-Repeat:
log in from a remote machine, the IP address of which is not in DNS.
>Fix:
(short-term fix) truncate a numeric IP address on the left rather
than on the right. That does not really help with true IPv6
addresses, but it greatly improves the usefulness when IPv4-mapped
IPv6 addresses are used, which is still the majority of cases IMHO.
For such a login, 16 bytes would be enough to store
":<ipv4>" which unambiguously describes the remote host, as it
can only be "::<ipv4>" (compatible) or "::ffff:<ipv4>" (mapped),
because all other IPv6 addresses would not be rewritten to
"<something>:<ipv4>".
(long-term fix) make the UT_HOSTSIZE 45 (there exists a constant for
sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255" somewhere in IPv6,
but I forgot its name)
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203111238.g2BCcKD49193>