OpenAFS FetchStatus Spoofing Lets Remote Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1017807
|
|
SecurityTracker URL: http://securitytracker.com/id?1017807
|
|
CVE Reference: CVE-2007-1507
(Links to External Site)
|
Updated: Mar 22 2007
|
Original Entry Date: Mar 22 2007
|
Impact: Execution of arbitrary code via network, Root access via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 1.0 - 1.4.3, 1.5.0 - 1.5.16
|
Description: A vulnerability was reported in OpenAFS. A remote user can gain elevated privileges on the target system.
A remote user with knowledge of client cache contents can remove the local cache and then spoof a FetchStatus reply for files in
the cache to promote a file to a setuid mode for arbitrary user accounts, including root privileges.
The vendor credits Benjamin
Bennett from the Pittsburgh Supercomputing Center with reporting this vulnerability.
|
Impact: A remote user can gain root privileges on the target system.
|
Solution: The vendor has issued fixed versions (1.4.4 and 1.5.17).
The OpenAFS advisory is available at:
http://www.openafs.org/pages/security/OPENAFS-SA-2007-001.txt
|
Vendor URL: www.openafs.org/pages/security/OPENAFS-SA-2007-001.txt (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Derrick J Brashear <openafs-info@openafs.org>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 19 Mar 2007 15:36:58 -0400 (EDT)
From: Derrick J Brashear <openafs-info@openafs.org>
Subject: [OpenAFS-announce] OpenAFS 1.4.4 available
|
The OpenAFS Gatekeepers announce the availability of OpenAFS version
1.4.4. Source files and available binaries can be accessed via the web at:
http://www.openafs.org/dl/openafs/1.4.4/
or via AFS at:
/afs/grand.central.org/software/openafs/1.4.4/
\\afs\grand.central.org\software\openafs\1.4.4\
This is the current recommended release for all Unix platforms; For Windows, we
recommend use of the current 1.5 series release for best performance.
OpenAFS Release Notes - Version 1.4.4
_________________________________________________________________
All Unix systems: Major security bugfix. Minor bugfixes.
Windows: Minor bugfixes.
_________________________________________________________________
* Security bugfix:
- SetUID is no longer honored for the local cell by default. The
"fs setcellstatus" command must be issued for any cell the system
administrator wishes to allow setuid files in.
>From 1.4.3:
* Bugfixes:
Windows:
- Return the correct error code when attempting to remove a
directory that still contains entries.
- Allow renames on inexact case match to allow offline folders to work
correctly.
- VICECONNBAD and VICETOKENDEAD force the use of a new rx connection.
- Fix afslogon.dll to not publish environment variables into
the subprocesses started from winlogon.exe
- Fix afslogon.dll to initialize and uninitialize winsock so
that Kerberos 4 send_to_kdc() can succeed
- When opening a directory, CIFS read privilege requires PRSFS_LOOKUP
not PRSFS_READ.
All unix systems:
- Make new connection forcing apply even when there is only one interface,
so we can recover servers marked down due to our address changing.
- Fix Universal AFS Error mapping when the local OS does not define some
errors.
- Avoid byte range locking for java when it means to ask for a whole file
lock but uses a -1 length.
- Avoid overwriting random memory if the system has too many addresses at
cache manager start time.
- Allow foreign vlservers to properly time out before first use.
- Attempt to clean up from dead tokens without discarding valid ones.
- Reinit resolver library on afsdb failure.
Linux:
- Allow PAG to be stored as a single "large" group instead of 2 16 bit groups.
- Fix use of tasklist lock based on availability of lock.
- Avoid leaking cred references in the kernel during failed lookups.
- Further fixes to syscall table probing.
- Updates for kernel header changes.
- Use the AFS vfs magic number.
- Fix keyring based PAGs to persist across a change.
- Avoid leaking locks when closing Firefox.
- Fix lock pid tracking to allow better cleanup and avoid bogus assert.
- Remove deadlock-prone cred pool implementation entirely.
MacOS:
- Fake more free disk for apps which do not actually check.
Solaris:
- Updates to use only public kernel interfaces.
All systems:
- Make rxdebug be less aggressive when retransmitting.
- Allow unix domain socket for fileserver-volserver communication.
- Fix server fake address support when NetRestrict is being used.
- Fix crash when 3.4 jumbograms are part of an Rx connection.
- Fix crashes in pts chown and pts rename.
- Make asetkey buildable with Heimdal.
- Avoid potential orphaned files during vos restore.
- Improve ubik debug logging.
- Add vldb repair tool.
- Avoid potential bosserver process list corruption.
- Revert to previous fileserver startup attachment order.
Binary releases are available for AIX 5.1, 5.2 and 5.3; Irix 6.5; Solaris 7, 8,
9 and 10 on Sparc and 10 on Intel; RedHat Enterprise Linux 3 and 4 on
Intel and AMD64; Fedora Core 3, 4, 5 and 6 on Intel and 5 and 6 on
AMD64; MacOS 10.4 Universal; HP-UX11i on PA-RISC; and Windows
2000, XP and 2003 on Intel, while source is available in gzipped, bzipped, and
uncompressed tar files.
Bug reports should be filed to openafs-bugs@openafs.org.
Thanks are due as usual to our dedicated team of binary builders without whom
the broad range of released binaries would not be possible.
Derrick J Brashear
for the OpenAFS gatekeepers
|
|
