Results 1 to 2 of 2
  1. #1
    Join Date
    Mar 2003

    ConfigServer Firewall (CSF) - Log Forging (Deny IP) Vulnerability (R911-0119)

    Type: Log Forging
    Location: Local
    Impact: High
    Product: ConfigServer Firewall (CSF)
    Vulnerable Version: 6.40
    Fixed Version: 6.42 (See Notes Below!)
    CVE: -
    R911: 0119
    Date: 2014-02-02
    By: Rack911
    Product Description:

    ConfigServer Firewall (CSF) is a a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.

    Vulnerability Description:

    It is possible for a malicious user to create forged log entries to trick the Login Failure Daemon feature into believing that an IP address is attempting to brute force the server which will then block the IP address in question. Blocking the administrators, other users, other servers and creating a DoS against the server is possible with this attack.


    We have deemed this vulnerability to be rated as HIGH due to the fact that any user, including administrators, can have their IP's blocked.

    Vulnerable Version:

    This vulnerability was tested against ConfigServer Firewall (CSF) 6.40 and is believed to exist in all versions prior to the fixed builds below.

    Fixed Version:

    ConfigServer Firewall (CSF) implemented a bunch of options in v6.41 and v6.42 to help mitigate against this attack. Please read the following change log to fully understand the options available:

    Vendor Contact Timeline:

    2014-01-26: Vendor contacted via email.
    2014-01-26: Vendor confirms vulnerability.
    2014-01-29: Vendor issues update v6.41.
    2014-02-02: Vendor issues update v6.42.
    2014-02-02: Rack911 issues security advisory.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ - Security notices for the hosting community.

  2. #2
    Join Date
    Dec 2011
    Thanks for the update Patrick!
    Nice to see 6.42 was released as well, so we can actually block the writing to the logs, without removing the full functionality of the software.

Similar Threads

  1. CSF - non root reseller unable to see ConfigServer Firewall plugin link?
    By mrzippy in forum Hosting Software and Control Panels
    Replies: 4
    Last Post: 09-18-2013, 01:20 AM
  2. ConfigServer Security&Firewall (csf) Big Problem
    By n00bus131 in forum VPS Hosting
    Replies: 12
    Last Post: 02-22-2012, 02:36 PM
  3. CSF Firewall: Edit csf.deny, the IP address deny file Currently:1000 permanent IP ban
    By crazyaboutlinux in forum Hosting Security and Technology
    Replies: 12
    Last Post: 02-09-2011, 02:08 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts