Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 464636 (CVE-2013-1923) - <net-fs/nfs-utils-1.2.8: rpc.gssd is vulnerable to DNS spoofing (CVE-2013-1923)
Summary: <net-fs/nfs-utils-1.2.8: rpc.gssd is vulnerable to DNS spoofing (CVE-2013-1923)
Status: RESOLVED FIXED
Alias: CVE-2013-1923
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-04 19:12 UTC by Agostino Sarubbo
Modified: 2014-12-08 23:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-04-04 19:12:32 UTC 
From ${URL} :

It was reported [1],[2] that rpc.gssd in nfs-utils is vulnerable to DNS spoofing due to it 
depending on PTR resolution for GSSAPI authentication.  Because of this, if a user where able to 
poison DNS to a victim's computer, they would be able to trick rpc.gssd into talking to another 
server (perhaps with less security) than the intended server (with stricter security).  If the 
victim has write access to the second (less secure) server, and the attacker has read access (when 
they normally might not on the secure server), the victim could write files to that server, which 
the attacker could obtain (when normally they would not be able to).  To the victim this is 
transparent because the victim's computer asks the KDC for a ticket to the second server due to 
reverse DNS resolution; in this case Krb5 authentication does not fail because the victim is 
talking to the "correct" server.

A patch that prevents this issue has been posted [3].

To workaround this issue, set the IP/host pair in /etc/hosts so that it cannot be spoofed.

A good explanation is also available here [4].

[1] http://marc.info/?l=linux-nfs&m=136491998607561&w=2
[2] http://marc.info/?l=linux-nfs&m=136500502805121&w=2
[3] http://marc.info/?l=linux-nfs&m=136493115612397&w=2
[4] http://ssimo.org/blog/id_015.html
Comment 2 Joakim Tjernlund 2014-04-08 16:17:37 UTC 
net-fs/nfs-utils-1.3.0 is released upstream

Needs newer sys-apps/keyutils
will not build against 1.5.5 but unstable 1.5.9 works
Comment 3 SpanKY gentoo-dev 2014-06-20 06:10:24 UTC 
stable version includes this fix now
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-06-21 03:24:22 UTC 
(In reply to SpanKY from comment #3)
> stable version includes this fix now

I do not see 1.28 as stable, was it a typo and you meant 1.29 which is stable?
Comment 5 SpanKY gentoo-dev 2014-06-24 21:44:10 UTC 
(In reply to Yury German from comment #4)

no, both modifications were accurate
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-06-27 21:12:36 UTC 
As per vapier this was fixed in 1.28

Maintainer(s), please drop the vulnerable version(s).

New GLSA Request filed.
Comment 7 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-09-01 21:04:33 UTC 
Ping for cleanup
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-11-18 08:04:05 UTC 
(In reply to Kristian Fiskerstrand from comment #7)
> Ping for cleanup

Double ping. Will wait a few days for timeout.
Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-11-18 15:02:10 UTC 
Thank you for cleanup.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-12-08 23:11:47 UTC 
This issue was resolved and addressed in
 GLSA 201412-02 at http://security.gentoo.org/glsa/glsa-201412-02.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).