Debian DLA-1716-1 : ikiwiki security update

high Nessus Plugin ID 122928

Synopsis

The remote Debian host is missing a security update.

Description

The ikiwiki maintainers discovered that the aggregate plugin did not use LWPx::ParanoidAgent. On sites where the aggregate plugin is enabled, authorized wiki editors could tell ikiwiki to fetch potentially undesired URIs even if LWPx::ParanoidAgent was installed :

local files via file: URIs other URI schemes that might be misused by attackers, such as gopher: hosts that resolve to loopback IP addresses (127.x.x.x) hosts that resolve to RFC 1918 IP addresses (192.168.x.x etc.)

This could be used by an attacker to publish information that should not have been accessible, cause denial of service by requesting 'tarpit' URIs that are slow to respond, or cause undesired side-effects if local web servers implement 'unsafe' GET requests.
(CVE-2019-9187)

Additionally, if liblwpx-paranoidagent-perl is not installed, the blogspam, openid and pinger plugins would fall back to LWP, which is susceptible to similar attacks. This is unlikely to be a practical problem for the blogspam plugin because the URL it requests is under the control of the wiki administrator, but the openid plugin can request URLs controlled by unauthenticated remote users, and the pinger plugin can request URLs controlled by authorized wiki editors.

This is addressed in ikiwiki 3.20190228 as follows, with the same fixes backported to Debian 9 in version 3.20170111.1 :

- URI schemes other than http: and https: are not accepted, preventing access to file:, gopher:, etc.

- If a proxy is configured in the ikiwiki setup file, it is used for all outgoing http: and https: requests. In this case the proxy is responsible for blocking any requests that are undesired, including loopback or RFC 1918 addresses.

- If a proxy is not configured, and liblwpx-paranoidagent-perl is installed, it will be used. This prevents loopback and RFC 1918 IP addresses, and sets a timeout to avoid denial of service via 'tarpit' URIs.

- Otherwise, the ordinary LWP user-agent will be used.
This allows requests to loopback and RFC 1918 IP addresses, and has less robust timeout behaviour. We are not treating this as a vulnerability: if this behaviour is not acceptable for your site, please make sure to install LWPx::ParanoidAgent or disable the affected plugins.

For Debian 8 'Jessie', this problem has been fixed in version 3.20141016.4+deb8u1.

We recommend that you upgrade your ikiwiki packages. In addition it is also recommended that you have liblwpx-paranoidagent-perl installed, which listed in the recommends field of ikiwiki.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected ikiwiki package.

See Also

https://lists.debian.org/debian-lts-announce/2019/03/msg00018.html

https://packages.debian.org/source/jessie/ikiwiki

Plugin Details

Severity: High

ID: 122928

File Name: debian_DLA-1716.nasl

Version: 1.7

Type: local

Agent: unix

Published: 3/19/2019

Updated: 6/13/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2019-9187

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:ikiwiki, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 3/18/2019

Vulnerability Publication Date: 6/5/2019

Reference Information

CVE: CVE-2019-9187