Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 528132 (CVE-2014-8321) - <net-wireless/aircrack-ng-1.2_rc1: multiple vulnerabilities (CVE-2014-{8321,8322,8323,8324})
Summary: <net-wireless/aircrack-ng-1.2_rc1: multiple vulnerabilities (CVE-2014-{8321,8...
Status: RESOLVED FIXED
Alias: CVE-2014-8321
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://seclists.org/bugtraq/2014/Nov/1
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-03 15:19 UTC by Agostino Sarubbo
Modified: 2014-11-23 18:15 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-11-03 15:19:05 UTC
From ${URL} :

"Aircrack-ng 1.2 Beta 3" multiple vulnerabilities
 
Description:
--------------------------------  
Four vulnerabilities exist on aircrack-ng <= 1.2 Beta 3 which allow remote/local code execution, privilege escalation 
and denial of service. Specifically, the following vulnerabilities were identified:
 
  -   A stack overflow at airodump-ng gps_tracker() which may lead to
code execution, privilege escalation.
  -   A length parameter inconsistency at aireplay tcp_test() which may
lead to remote code execution.
  -   A missing check for data format at buddy-ng which may lead to
denial of service.
  -   A missing check for invalid values at airserv-ng net_get() which
may lead to denial of service.
 
 
Researcher:
---------------------------------  
Nick Sampanis (n.sampanis[a t]obrela[do t]com)
 
 
Vulnerabilities:
----------------------------------
gps_tracer stack overflow  CVE-2014-8321
tcp_test length parameter inconsistency CVE-2014-8322
buddy-ng missing check  in data format CVE-2014-8323
net_get missing check for invalid values CVE-2014-8324
 
 
Bugs and fixes submit date:
-----------------------------------
3/10/2014
 
 
Impact:
-----------------------------------
CVE-2014-8321: Severity: High AV: Local Impact type: Code execution/Privilege escalation
CVE-2014-8322: Severity: Critical AV: Remote Impact type: Code execution
CVE-2014-8323: Severity: High AV: Remote Impact type: Denial of service
CVE-2014-8324: Severity: High AV: Remote Impact type: Denial of service

Solution - fix & patch:
------------------------------------
Kali linux(and maybe some other distros) use to distribute aircrack-ng package
without stack cookie protection which makes CVE-2014-8322 easily exploitable.
The new package with stack cookie protection enabled is called debian/1.2-beta3-0kali3.

Download the respective commits from github. Soon a new version
will be released but at the time there is no patched version.
 
https://github.com/aircrack-ng/aircrack-ng/commit/ff70494dd389ba570dbdbf36f217c28d4381c6b5
https://github.com/aircrack-ng/aircrack-ng/commit/091b153f294b9b695b0b2831e65936438b550d7b
https://github.com/aircrack-ng/aircrack-ng/commit/da087238963c1239fdabd47dc1b65279605aca70
https://github.com/aircrack-ng/aircrack-ng/commit/88702a3ce4c28a973bf69023cd0312f412f6193e

Reference:
------------------------------------
https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1401/



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Rick Farina (Zero_Chaos) gentoo-dev 2014-11-03 15:49:03 UTC
RC1 is in cvs already, 1.2_beta3 isn't stable. rc1 is fine to stable, and we can remove all older versions for all I care.
Comment 2 Agostino Sarubbo gentoo-dev 2014-11-03 16:12:17 UTC
Arches, please test and mark stable:
=net-wireless/aircrack-ng-1.2_rc1
Target keywords : "amd64 arm ppc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2014-11-03 16:16:26 UTC
(In reply to Agostino Sarubbo from comment #2)
> Arches, please test and mark stable:
> =net-wireless/aircrack-ng-1.2_rc1
> Target keywords : "amd64 arm ppc x86"

and =net-wireless/lorcon-0.0_p20130212-r1 since it is a DEPEND.
Comment 4 Agostino Sarubbo gentoo-dev 2014-11-03 16:17:00 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-11-03 16:17:20 UTC
x86 stable
Comment 6 Rick Farina (Zero_Chaos) gentoo-dev 2014-11-03 17:53:33 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-11-10 13:46:01 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2014-11-10 23:34:59 UTC
GLSA has been drafted.

Maintainers, please drop vulnerable versions so we can release the GLSA. Thanks.
Comment 9 Rick Farina (Zero_Chaos) gentoo-dev 2014-11-12 00:15:36 UTC
(In reply to Sean Amoss from comment #8)
> GLSA has been drafted.
> 
> Maintainers, please drop vulnerable versions so we can release the GLSA.
> Thanks.

Oh man that felt good...

--- ./ChangeLog
+++ ./ChangeLog
@@ -4,0 +5,16 @@
+  12 Nov 2014; Rick Farina <zerochaos@gentoo.org> -aircrack-ng-1.1-r2.ebuild,
+  -aircrack-ng-1.1-r4.ebuild, -aircrack-ng-1.2_beta3-r3.ebuild,
+  -files/aircrack-ng-1.0_rc3-respect_LDFLAGS.patch,
+  -files/aircrack-ng-1.0_rc4-fix_build.patch,
+  -files/aircrack-ng-1.1-CVE-2010-1159.patch,
+  -files/aircrack-ng-1.1-parallelmake.patch,
+  -files/aircrack-ng-1.1-respect_LDFLAGS.patch,
+  -files/aircrack-ng-1.1-sse-pic.patch,
+  -files/aircrack-ng-9999-fix-labels.patch,
+  -files/airodump-ng-oui-update-path-fix.patch,
+  -files/airodump-ng.ignore-negative-one.v4.patch,
+  -files/changeset_r1921_backport.diff,
+  -files/diff-wpa-migration-mode-aircrack-ng.diff, -files/eapol_fix.patch,
+  -files/ignore-channel-1-error.patch, -files/process-group-leader.c:
+  cleanup for security bug #528132

You may feel free to not wait on me to do such things in the future, although it did feel really good to delete all that old stuff.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-11-23 18:15:00 UTC
This issue was resolved and addressed in
 GLSA 201411-08 at http://security.gentoo.org/glsa/glsa-201411-08.xml
by GLSA coordinator Sean Amoss (ackle).