Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 464636 (CVE-2013-1923)

Summary: <net-fs/nfs-utils-1.2.8: rpc.gssd is vulnerable to DNS spoofing (CVE-2013-1923)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: net-fs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=948072
Whiteboard: A4 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-04-04 19:12:32 UTC 
From ${URL} :

It was reported [1],[2] that rpc.gssd in nfs-utils is vulnerable to DNS spoofing due to it 
depending on PTR resolution for GSSAPI authentication.  Because of this, if a user where able to 
poison DNS to a victim's computer, they would be able to trick rpc.gssd into talking to another 
server (perhaps with less security) than the intended server (with stricter security).  If the 
victim has write access to the second (less secure) server, and the attacker has read access (when 
they normally might not on the secure server), the victim could write files to that server, which 
the attacker could obtain (when normally they would not be able to).  To the victim this is 
transparent because the victim's computer asks the KDC for a ticket to the second server due to 
reverse DNS resolution; in this case Krb5 authentication does not fail because the victim is 
talking to the "correct" server.

A patch that prevents this issue has been posted [3].

To workaround this issue, set the IP/host pair in /etc/hosts so that it cannot be spoofed.

A good explanation is also available here [4].

[1] http://marc.info/?l=linux-nfs&m=136491998607561&w=2
[2] http://marc.info/?l=linux-nfs&m=136500502805121&w=2
[3] http://marc.info/?l=linux-nfs&m=136493115612397&w=2
[4] http://ssimo.org/blog/id_015.html
Comment 2 Joakim Tjernlund 2014-04-08 16:17:37 UTC 
net-fs/nfs-utils-1.3.0 is released upstream

Needs newer sys-apps/keyutils
will not build against 1.5.5 but unstable 1.5.9 works
Comment 3 SpanKY gentoo-dev 2014-06-20 06:10:24 UTC 
stable version includes this fix now
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-06-21 03:24:22 UTC 
(In reply to SpanKY from comment #3)
> stable version includes this fix now

I do not see 1.28 as stable, was it a typo and you meant 1.29 which is stable?
Comment 5 SpanKY gentoo-dev 2014-06-24 21:44:10 UTC 
(In reply to Yury German from comment #4)

no, both modifications were accurate
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-06-27 21:12:36 UTC 
As per vapier this was fixed in 1.28

Maintainer(s), please drop the vulnerable version(s).

New GLSA Request filed.
Comment 7 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-09-01 21:04:33 UTC 
Ping for cleanup
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-11-18 08:04:05 UTC 
(In reply to Kristian Fiskerstrand from comment #7)
> Ping for cleanup

Double ping. Will wait a few days for timeout.
Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-11-18 15:02:10 UTC 
Thank you for cleanup.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-12-08 23:11:47 UTC 
This issue was resolved and addressed in
 GLSA 201412-02 at http://security.gentoo.org/glsa/glsa-201412-02.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).