===================================================================== CERT-Renater Note d'Information No. 2013/VULN098 _____________________________________________________________________ DATE : 06/03/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running OpenAFS versions prior to 1.6.2. ====================================================================== http://www.openafs.org/pages/security/OPENAFS-SA-2013-001.txt http://www.openafs.org/pages/security/OPENAFS-SA-2013-002.txt ______________________________________________________________________ OpenAFS Security Advisory 2013-001 Topic: Buffer overflows in OpenAFS fileserver CVE-2013-1794 Issued: 27 Feb 2013 Last Updated: 27 Feb 2013 Affected: OpenAFS servers before version 1.6.2 An attacker with the ability to manipulate AFS directory ACLs may crash the fileserver hosting that volume. In addition, once a corrupt ACL is placed on a fileserver, its existence may crash client utilities manipulating ACLs on that server. SUMMARY ======= By carefully crafting an ACL entry an attacker may overflow fixed length buffers within the OpenAFS fileserver, crashing the fileserver, and potentially permitting the execution of arbitrary code. To perform the exploit, the attacker must already have permissions to create ACLs on the fileserver in question. Once such an ACL is present on a fileserver, client utilities such as 'fs' which manipulate ACLs, may be crashed when they attempt to read or modify the ACL. IMPACT ====== An authenticated attacker may crash, or run arbitrary code, on an OpenAFS fileserver, or a client connected to such a serever AFFECTED SOFTWARE ================= All releases of OpenAFS prior to 1.6.2 FIXES ===== The OpenAFS project recommends that administrators upgrade to OpenAFS 1.6.2 or later. For those sites unable, or unwilling, to upgrade a patch which resolves this issue is included below. This patch should apply to both OpenAFS 1.6.1 and OpenAFS 1.4.14 The latest stable OpenAFS release is always available from http://www.openafs.org/release/latest.html This announcement, and code patches related to it, may be found on the OpenAFS security advisory page at http://www.openafs.org/security/ ACKNOWLEDGEMENTS ================ This issue was identified, and the fix provided, by Nickolai Zeldovich ______________________________________________________________________ OpenAFS Security Advisory 2013-0002 Topic: Buffer overflow in OpenAFS ptserver CVE-2013-1795 Issued: 21 Feb 2013 Last Updated: 21 Feb 2013 Affected: OpenAFS servers before version 1.6.2 An attacker can crash an OpenAFS ptserver by sending an IdToName RPC with a large payload. SUMMARY ======= The ptserver accepts a list of unbounded size from the IdToName RPC. The length of this list is then used to determine the size of a number of other internal datastructures. If the length is sufficiently large then we may hit an integer overflow when calculating the size to pass to malloc, and allocate data structures of insufficient length, allowing heap memory to be overwritten. IMPACT ====== An unauthenticated attacker can crash an OpenAFS ptserver AFFECTED SOFTWARE ================= All releases of OpenAFS prior to 1.6.2 FIXES ===== The OpenAFS project recommends that administrators upgrade to OpenAFS 1.6.2 or later. For those sites unable, or unwilling, to upgrade a patch which resolves this issue is included below. This patch should apply to both OpenAFS 1.6.1 and OpenAFS 1.4.14 The latest stable OpenAFS release is always available from http://www.openafs.org/release/latest.html This announcement, and code patches related to it, may be found on the OpenAFS security advisory page at http://www.openafs.org/security/ ACKNOWLEDGEMENTS ================ This issue was identified, and the fix provided, by Nickolai Zeldovich ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================