---------------------------------------------------------------------- Inferno Nettverk A/S Security Advisory Package: Dante Advisory Id: DNTE-20050128002 CVE: CVE-2024-54662 Date: 2024-11-16 (private, customers only) Date: 2024-12-16 (public) Affected versions: Dante server 1.4.0, 1.4.1, 1.4.2, and 1.4.3 ---------------------------------------------------------------------- To users and customers of Inferno Nettverk A/S using Dante: A security issue related to a rarely used option in the Dante server's client/hostid-rules was recently reported to us by a private party. The issue can in some circumstances lead to a client that should have been blocked by the Dante rules/ACLs, to instead be permitted. The issue only affects Dante configurations where the option "socksmethod" is set within a client/hostid-rule. This advisory affects: Versions 1.4.0 through 1.4.3 of the Dante server, but only if "socksmethod" is set within a client/hostid-rule, and only if subsequent socks-rules would not block the client in question. An example of a possibly affected configuration is a sockd.conf containing a client or hostid-rule such as this: """ client pass { ... socksmethod: none } """ Under certain circumstances, and depending on how the subsequent socks-rules look, a client that should have been blocked by the Dante rules/ACLs may instead be permitted. This advisory does not affect: Customers that do not set "socksmethod" within client- or hostid-rules. Setting "socksmethod" within socks-rules, as is the common way, is not affected. E.g., the following rule does not cause problems: """ socks pass { ... socksmethod: ... } """ If none of the client-rules or hostid-rules (that is, rules starting with "client pass" or "hostid pass") contain the keyword "socksmethod", this issue does not affect your configuration and no changes are required. Recommended steps for customers: If you believe you may be affected by this, we ask you to provide us with a copy of your sockd.conf so we can verify whether your sockd.conf is affected by this. If it is, we would like to help you devise a work-around until a new release of Dante is available. We can alternatively provide you a patch for this problem if so required. Recommended steps for others: If you believe you may be affected by this, we suggest you update to Dante version 1.4.4. Presumed impact: We expect most configurations to be unaffected by this issue, because setting "socksmethod" within client or hostid-rules is a rarely used feature that is not required in normal/common usage scenarios. In the configurations that are affected however, a client that should have been blocked by Dante's ACL rules may instead be permitted. Technical details: N/A. Acknowledgments: The issue was privately reported to us by Igor Medovolkin (igor.aka.igro@gmail.com.example.com), and we do not believe it to have been public knowledge before the release of this advisory. We thank Mr. Medovolkin for the responsible disclosure of this issue. Should you have any questions about this issue, please contact your Inferno Nettverk support contact in the usual way. If you do not have a support contact, please use the public dante-misc mailinglist. Please see https://www.inet.no/dante/lists.html for more information about the Dante mailinglists. With kind regards, Inferno Nettverk Support