Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 478296 (CVE-2013-4134) - <net-fs/openafs-1.6.5: Brute force DES attack permits compromise of AFS cell (CVE-2013-4134)
Summary: <net-fs/openafs-1.6.5: Brute force DES attack permits compromise of AFS cell ...
Status: RESOLVED FIXED
Alias: CVE-2013-4134
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openafs.org/pages/security...
Whiteboard: B4 [glsa]
Keywords:
: 482962 (view as bug list)
Depends on: 478498
Blocks: CVE-2013-4135
  Show dependency tree
 
Reported: 2013-07-26 21:50 UTC by Chris Reffett (RETIRED)
Modified: 2014-04-07 21:53 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Reffett (RETIRED) gentoo-dev Security 2013-07-26 21:50:50 UTC
(From upstream advisory)

OpenAFS uses Kerberos tickets to secure network traffic. For historical
reasons, it has only supported the DES encryption algorithm to encrypt
these tickets. The weakness of DES's 56 bit key space has long been
known, however it has recently become possible to use that weakness 
to cheaply (around $100) and rapidly (approximately 23 hours) compromise
a service's long term key.

An attacker must first obtain a ticket for the cell. They may then use
a brute force attack to compromise the cell's private service key.
Once an attacker has gained access to the service key, they can use this
to impersonate any user within the cell, including the super user, giving
them access to all administrative capabilities as well as all user data.

IMPACT
======

An attacker may gain complete control over the targeted cell.

No publicly available exploits are currently known.

AFFECTED SOFTWARE
=================

All current releases of OpenAFS. This is all releases prior to 1.4.15, all 
releases in the 1.6 series prior to 1.6.5 and all releases in the 1.7 series
prior to 1.7.26.
Comment 1 Andrew Hamilton 2013-08-16 01:03:13 UTC
I believe this bug should be reclassified as a B0 security hole. The reason for this is the bos exec command found in AFS.

bos exec allows an appropriately credentialed user (usually the AFS administrators) to execute arbitrary shell commands on any server in the AFS realm that is running the Bosserver (Basic Overseer); generally this is any AFS server. The bos exec command can be used from All shell commands are run without any logging on the server and with root privileges.

Therefore, since this security hole allows anyone to impersonate any user in the AFS realm, it would allow them to impersonate the AFS administrators (which can be listed by anyone with even normal AFS access) and execute any shell command on any AFS server as root with no logging of the commands run.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-27 17:00:15 UTC
Let's get this stabilized. Arches, please test and stabilize:
=net-fs/openafs-1.6.5 =net-fs/openafs-kernel-1.6.5

Target arches for both: amd64 sparc x86

Thanks!
Comment 3 Ian Stakenvicius (RETIRED) gentoo-dev 2013-08-29 19:59:03 UTC
*** Bug 482962 has been marked as a duplicate of this bug. ***
Comment 4 Vicente Olivert Riera (RETIRED) gentoo-dev 2013-08-30 14:07:19 UTC
Some issues here:
-build log not verbose
-calls ar directly
-calls gcc directly
-cflags not respected

The rest is ok. I want to know the maintainer's opinion. Do you think we can stabilize it, or do you preffer to fix those issues first?
Comment 5 Andrej Filipcic 2013-08-30 14:13:01 UTC
I will check those things above over the weekend, but my bet is that they cannot be changed easily due to specific requirements of the build system.
Comment 6 Ian Stakenvicius (RETIRED) gentoo-dev 2013-08-30 14:16:12 UTC
openafs-1.6.5 seems to suffer from the same issues in src_prepare (with autotools removed from inherit) as openafs-kernel did.  This should also be fixed (am doing so immediately); I'll look into ar/gcc/cflags while I'm at it.

If the maintainer could check into the importance of overriding CFLAGS, that would be appreciated.
Comment 7 Agostino Sarubbo gentoo-dev 2013-08-30 14:25:13 UTC
I guess security is more important than CFLAGS, so go ahead.
Comment 8 Vicente Olivert Riera (RETIRED) gentoo-dev 2013-08-30 23:49:13 UTC
Direct ar calling and verbose build log on openafs-kernel-1.6.5-r1 fixed and commited.
Comment 9 Vicente Olivert Riera (RETIRED) gentoo-dev 2013-09-03 12:57:06 UTC
(In reply to Andrej Filipcic from comment #5)
> I will check those things above over the weekend, but my bet is that they
> cannot be changed easily due to specific requirements of the build system.

Ping. How is going that thing?
Comment 10 Vicente Olivert Riera (RETIRED) gentoo-dev 2013-09-03 13:46:18 UTC
We have decided to keep it as is.

amd64 x86 : stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-09-06 10:23:20 UTC
sparc stable
Comment 12 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 05:28:01 UTC
(Based on comment 1) GLSA vote: yes.
Comment 13 Sergey Popov gentoo-dev 2013-09-20 09:16:27 UTC
GLSA vote: yes

Added to existing GLSA draft
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2013-11-12 23:31:15 UTC
CVE-2013-4134 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4134):
  OpenAFS before 1.4.15, 1.6.x before 1.6.5, and 1.7.x before 1.7.26 uses weak
  encryption (DES) for Kerberos keys, which makes it easier for remote
  attackers to obtain the service key.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-04-07 21:53:09 UTC
This issue was resolved and addressed in
 GLSA 201404-05 at http://security.gentoo.org/glsa/glsa-201404-05.xml
by GLSA coordinator Mikle Kolyada (Zlogene).