1) iscsid provides a management interface using an AF_LOCAL socket. To prevent unauthorized users from messing with it, it checks for the client's uid by doing a getsockopt(SO_PEERCRED). Unfortunately, it performs this operation on the *listening* socket, rather than the newly accepted connection. This will always return a uid of 0, effectively allowing everyone to perform management operations on the iSCSI initiator. It currently appears as if the impact is limited to DoS, as there's no obvious way for an attacker to retrieve eg passwords, or gain privilege. There's a whole lot of code though, so maybe there's a buffer overflow lurking somewhere that can be exploited. However, at a minimum this allows an attacker to shoot down iscsid, or tear down individual iSCSI connections. 2) iscsid uses a rather fanciful logging mechanism, where the main process logs to a shared memory area, from where a child process picks up the messages and feeds them to syslog. This is protected by a semaphore created with mode 0666. This allows anyone to up the semaphore. iscsid will block on the next attempt to log something, and hang indefinitely.
http://svn.berlios.de/viewcvs/open-iscsi?rev=858&view=rev http://svn.berlios.de/viewcvs/open-iscsi?rev=857&view=rev robbat2, please provide fixed ebuilds, thx
2.0.865.12 is in the tree now.
Thanks Robin. rerating since there was no stable version, and closing.
