Summary: | <net-fs/openafs-1.6.5: Brute force DES attack permits compromise of AFS cell (CVE-2013-4134) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Chris Reffett (RETIRED) <creffett> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | andrej.filipcic, axs, net-fs, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openafs.org/pages/security/OPENAFS-SA-2013-003.txt | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 478498 | ||
Bug Blocks: | 478282 |
Description
Chris Reffett (RETIRED)
2013-07-26 21:50:50 UTC
I believe this bug should be reclassified as a B0 security hole. The reason for this is the bos exec command found in AFS. bos exec allows an appropriately credentialed user (usually the AFS administrators) to execute arbitrary shell commands on any server in the AFS realm that is running the Bosserver (Basic Overseer); generally this is any AFS server. The bos exec command can be used from All shell commands are run without any logging on the server and with root privileges. Therefore, since this security hole allows anyone to impersonate any user in the AFS realm, it would allow them to impersonate the AFS administrators (which can be listed by anyone with even normal AFS access) and execute any shell command on any AFS server as root with no logging of the commands run. Let's get this stabilized. Arches, please test and stabilize: =net-fs/openafs-1.6.5 =net-fs/openafs-kernel-1.6.5 Target arches for both: amd64 sparc x86 Thanks! *** Bug 482962 has been marked as a duplicate of this bug. *** Some issues here: -build log not verbose -calls ar directly -calls gcc directly -cflags not respected The rest is ok. I want to know the maintainer's opinion. Do you think we can stabilize it, or do you preffer to fix those issues first? I will check those things above over the weekend, but my bet is that they cannot be changed easily due to specific requirements of the build system. openafs-1.6.5 seems to suffer from the same issues in src_prepare (with autotools removed from inherit) as openafs-kernel did. This should also be fixed (am doing so immediately); I'll look into ar/gcc/cflags while I'm at it. If the maintainer could check into the importance of overriding CFLAGS, that would be appreciated. I guess security is more important than CFLAGS, so go ahead. Direct ar calling and verbose build log on openafs-kernel-1.6.5-r1 fixed and commited. (In reply to Andrej Filipcic from comment #5) > I will check those things above over the weekend, but my bet is that they > cannot be changed easily due to specific requirements of the build system. Ping. How is going that thing? We have decided to keep it as is. amd64 x86 : stable sparc stable (Based on comment 1) GLSA vote: yes. GLSA vote: yes Added to existing GLSA draft CVE-2013-4134 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4134): OpenAFS before 1.4.15, 1.6.x before 1.6.5, and 1.7.x before 1.7.26 uses weak encryption (DES) for Kerberos keys, which makes it easier for remote attackers to obtain the service key. This issue was resolved and addressed in GLSA 201404-05 at http://security.gentoo.org/glsa/glsa-201404-05.xml by GLSA coordinator Mikle Kolyada (Zlogene). |