CVE-2007-4321

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

fail2ban 0.8 and earlier does not properly parse sshd log files, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by logging in via ssh with a client protocol version identification containing an IP address string, a different vector than CVE-2006-6302.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-30430 dos linux verified text · 1 KB

Daniel B. Cid · 2007-07-28

Fail2ban 0.8 - Remote Denial of Service

text exploit Source: Exploit-DB

source: https://www.securityfocus.com/bid/25117/info

Fail2ban is prone to a remote denial-of-service vulnerability because the application fails to properly ensure the validity of authentication-failure messages.

Successfully exploiting this issue allows remote attackers to add arbitrary IP addresses to the block list used by the application. This allows attackers to deny further network access to arbitrary IP addresses, denying service to legitimate users.

Fail2ban 0.8.0 and prior versions are vulnerable to this issue. 

This issue may be demonstrated by connecting to an SSH server with 'nc', and sending the following string:

ROOT LOGIN REFUSED hi FROM 1.2.3.4

where '1.2.3.4' is an IP address to be blocked.

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`0.8.0-4`
sid	Fixed	`0.8.0-4`
forky	Fixed	`0.8.0-4`
bullseye	Fixed	`0.8.0-4`
bookworm	Fixed	`0.8.0-4`

References

https://security-tracker.debian.org/tracker/CVE-2007-4321

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.