 |
|
|---|
The following are overviews of security advisories issued by the OpenAFS Project regarding known security problems in OpenAFS and its components. Each overview includes a summary of the problem, a link to the full text of the advisory. When they are available, patches are also included. At the end of this document is a table of all OpenAFS security advisories.
If you want to report security problems or issues with OpenAFS, you may send mail to the OpenAFS security officer at security@openafs.org. When sending sensitive information, we ask that you encrypt it with PGP.
| Issued: | 6-Apr-2009 |
|---|---|
| Last Update: | 6-Apr-2009 |
| Severity: | Medium |
| Affected: | OpenAFS 1.0-1.4.8, OpenAFS 1.5.0-1.5.58 |
| Full Text: | http://www.openafs.org/security/OPENAFS-SA-2009-002.txt |
AFS may pass an error code obtained from the fileserver directly to the Linux kernel, using a Linux mechanism that merges error codes and pointers into a single value. However, this mechanism is unable to distinguish certain error codes from pointers. When AFS returns a code of this type to the kernel, the kernel treats it as a pointer and attempts to dereference it. This causes a kernel panic, and results in a denial of service attack.
There are no known publicly-available exploits for this vulnerability at this time.
| Issued: | 6-Apr-2009 |
|---|---|
| Last Update: | 6-Apr-2009 |
| Severity: | Medium |
| Affected: | OpenAFS 1.0-1.4.8, OpenAFS 1.5.0-1.5.58 |
| Full Text: | http://www.openafs.org/security/OPENAFS-SA-2009-001.txt |
AFS's XDR data marshalling language permits the construction of arrays with a size constrained by the interface definition. The XDR decoding language will accept data from the server up to this maximum size, which in some cases is stored into a buffer allocated by the client. In several locations, the AFS client assumes that the server will never return more data than requested, and so allocates a buffer smaller than this maximum size. Whilst this causes no problems when communicating with valid servers, an attacker can return more data than expected, and overflow the client's buffer.
There are no known publicly-available exploits for this vulnerability at this time.
| Issued: | 20-Dec-2007 |
|---|---|
| Last Update: | 21-Dec-2007 |
| Severity: | Medium |
| Affected: | OpenAFS 1.3.50-1.4.5, OpenAFS 1.5.0-1.5.27 |
| Full Text: | http://www.openafs.org/security/OPENAFS-SA-2007-003.txt |
The AFS fileserver tracks client callbacks on files via a series of linked lists internally. When a client acquires a new callback or gives up an old one, these lists must be updated. Beginning in 1.3.50, a bulk disposal mechanism was added. Due to a failure to hold a lock, unsafe access to data could result in a crash. No data compromise is known.
There are no known publicly-available exploits for this vulnerability at this time.
| Issued: | 19-Apr-2007 |
|---|---|
| Last Update: | 19-Apr-2007 |
| Severity: | Medium |
| Affected: | OpenAFS 1.3.64-1.3.99, OpenAFS 1.4.0-1.4.4, OpenAFS 1.5.0-1.5.18 |
| Full Text: | http://www.openafs.org/security/OPENAFS-SA-2007-002.txt |
OpenAFS for Windows installs a Network Provider module, afslogon.dll, which is loaded by the Windows Logon service, winlogon.exe. When MIT Kerberos for Windows is installed, afslogon.dll will attempt to perform operations that involve the Kerberos v5 libraries. Successful use of Kerberos v5 requires the ability to establish a krb5_context. Parsing errors in the Kerberos v5 configuration profile, krb5.ini, will prevent the successful creation of a krb5_context. afslogon.dll attempts to free a krb5_context whether or not it was successfully established. This produces a memory access error that in turn forces the Windows Logon Service to terminate unexpectedly and causes Microsoft Windows to halt.
There are no known publicly-available exploits for this vulnerability at this time.
| Issued: | 20-Mar-2007 |
|---|---|
| Last Update: | 20-Mar-2007 |
| Severity: | Medium |
| Affected: | OpenAFS 1.0-1.4.3, OpenAFS 1.5.0-1.5.16 |
| Full Text: | http://www.openafs.org/security/OPENAFS-SA-2007-001.txt |
Because AFS cache managers do not use authenticated connections for non-user-authenticated sessions, checks for cache coherency are done over an unprotected connection if they are not being done for an authenticated user. Because of this it is possible to spoof a false status for files in the cache.
The AFS cache manager on platforms which offer privilege based on file modes are vulnerable to such attacks.
There are no known publicly-available exploits for this vulnerability at this time.
| Issued: | 18-Apr-2003 |
|---|---|
| Last Update: | 18-Apr-2003 |
| Severity: | Medium |
| Affected: | OpenAFS 1.0-1.2.7, OpenAFS 1.3.0-1.3.2 |
| Full Text: | http://www.openafs.org/security/OPENAFS-SA-2003-002.txt |
| Patch: | http://www.openafs.org/security/openafs-sa-2003-002.patch (PGP signature) |
There is a bug in the Rx RPC protocol, used by AFS, which can be exploited by an attacker to hijack arbitrary Rx connections. This allows the attacker to mount a denial of service attack by breaking arbitrary Rx connections. Additionally, unless encryption is used, such as rxkad mode crypt ("fs setcrypt on") and the user accessing files is authenticated (has valid tokens), the attacker can observe and modify the data being transferred.
The AFS cache manager and other AFS administrative clients (such as pts, fs, vos, etc) are vulnerable to these attacks. Vulnerable AFS servers allow connections from AFS cache managers to be hijacked, but not connections from the other AFS administrative clients (such as pts, fs, vos, etc).
There are no known publicly-available exploits for this vulnerability at this time.
| Issued: | 25-Mar-2003 |
|---|---|
| Last Update: | 25-Mar-2003 |
| Severity: | High |
| Affected: | OpenAFS 1.0-1.2.8, OpenAFS 1.3.0-1.3.2 |
| Full Text: | http://www.openafs.org/security/OPENAFS-SA-2003-001.txt |
| Patch: | http://www.openafs.org/security/kaserver-disable-krb4-crossrealm-20030317.delta (PGP signature) |
A cryptographic weakness in version 4 of the Kerberos protocol allows an attacker to use a chosen-plaintext attack to impersonate any principal in a realm. OpenAFS kaserver implements version 4 of the Kerberos protocol, and therefore is vulnerable. An attacker that knows a shared cross-realm key between any remote realm and the local realm can impersonate any principal in the local realm to AFS database servers and file servers in the local cell, and other services in the local realm. An attacker that can create arbitrary principal names in a realm can also impersonate any principal in that realm.
If your realm has no shared keys, and does not allow users to create arbitrary principal names, you are not exposed to this vulnerability.
There are no known publicly-available exploits for this vulnerability at this time.
| Issued: | 03-Aug-2002 |
|---|---|
| Last Update: | 03-Aug-2002 |
| Severity: | High |
| Affected: | OpenAFS 1.0-1.2.5, OpenAFS 1.3.0-1.3.2 |
| Full Text: | http://www.openafs.org/security/OPENAFS-SA-2002-001.txt |
| Patch: | http://www.openafs.org/security/xdr-updates-20020731.delta (PGP signature) |
There is an integer overflow bug in the SUNRPC-derived RPC library used by OpenAFS that could be exploited to crash certain OpenAFS servers (volserver, vlserver, ptserver, buserver) or to obtain unauthorized root access to a host running one of these processes.
In addition, it is possible for a rogue server to attack certain administrative clients (vos, pts, backup, butc, rxstat), but only if certain RPC requests are made to the rogue server.
The OpenAFS fileserver and cache manager (client) are not vulnerable to these attacks. No exploits are presently known to be available for this vulnerability.
| ID | Issued | Updated | Severity | Versions Affected | topic |
|---|---|---|---|---|---|
| 2002-001 | 03-Aug-2002 | 03-Aug-2002 | High | 1.0-1.2.5, 1.3.0-1.3.2 | xdr_array integer overflow |
| 2003-001 | 25-Mar-2003 | 25-Mar-2003 | High | 1.0-1.2.8, 1.3.0-1.3.2 | Cryptographic weakness in Kerberos v4 |
| 2003-002 | 18-Apr-2003 | 18-Apr-2003 | Medium | 1.0-1.2.7, 1.3.0-1.3.2 | Rx connection hijacking vulnerability |
| 2007-001 | 20-Mar-2007 | 20-Mar-2007 | Medium | 1.0-1.4.3, 1.5.0-1.5.16 | setuid (privilege escalation) in OpenAFS Unix based clients |
| 2007-002 | 19-Apr-2007 | 19-Apr-2007 | Medium | 1.3.64-1.4.4, 1.5.0-1.5.18 | OpenAFS for Windows clients denial of service vulnerability |
| 2007-003 | 20-Dec-2007 | 21-Dec-2007 | Medium | 1.3.50-1.4.5, 1.5.0-1.5.27 | denial of service in OpenAFS fileserver |