[OpenAFS-announce] OpenAFS Security Advisory 2009-001

Simon Wilkinson openafs-info@openafs.org
Mon, 6 Apr 2009 23:28:14 +0100 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ A copy of this message, and related patches signed with the OpenAFS
   security key is available from the OpenAFS website ]

                       OpenAFS Security Advisory 2009-001
                                 CVE-2009-1251

Topic: Network based buffer overflow attack against Unix cache manager

Issued:		06-Apr-2009
Last Update:    06-Apr-2009
Affected:	OpenAFS Unix clients (excluding Mac OS X 10.4 & 10.5)
		running versions 1.0 -> 1.4.8 and 1.5.0 -> 1.5.58

An attacker with control of a fileserver, or the ability to forge RX =20
packets,
can crash the cache manager, and hence the kernel, of any Unix AFS =20
client. It
may be possible for an attacker to cause the kernel to execute =20
arbitrary code.

SUMMARY
=3D=3D=3D=3D=3D=3D=3D

AFS's XDR data marshalling language permits the construction of arrays =20=

with a
size constrained by the interface definition. The XDR decoding =20
language will
accept data from the server up to this maximum size, which in some =20
cases is
stored into a buffer allocated by the client.

In several locations, the AFS client assumes that the server will never
return more data than requested, and so allocates a buffer smaller =20
than this
maximum size. Whilst this causes no problems when communicating with =20
valid
servers, an attacker can return more data than expected, and overflow =20=

the
client's buffer.

IMPACT
=3D=3D=3D=3D=3D=3D

By forging responses from an existing fileserver, or by getting a user =20=

to
visit a fileserver under their control, an attacker may overflow
the heap buffer of a client machine. This buffer resides in kernel =20
memory.
A remote user can use this overflow to crash the client under attack, =20=

and
may be able to execute arbitrary code within a client's kernel.

At the time of writing, no publicly available exploits are known.

AFFECTED SOFTWARE
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

All releases of OpenAFS up to (and including) 1.4.8
All releases of OpenAFS 1.5.0 to 1.5.58

Only the Unix client, excluding Mac OS 10.3 and 10.4, is affected.

FIXES
=3D=3D=3D=3D=3D

The OpenAFS project recommends that administrators with Unix clients
upgrade to OpenAFS version 1.4.9 or newer, or as appropriate for people
testing features in the OpenAFS 1.5 series, OpenAFS version 1.5.59 or =20=

newer.
Only Unix clients need to be upgraded to address the issue in this =20
advisory.

For those sites unable, or unwilling, to upgrade a patch which =20
resolves this
issue is available as
     STABLE14-avoid-buffer-overflow-on-rx-fixed-size-array-=20
return-20090402
in the OpenAFS delta system, or directly from
     http://www.openafs.org/security/openafs-sa-2009-001.patch
The corresponding PGP signature is available from
     http://www.openafs.org/security/openafs-sa-2009-001.sig

Note that this patch is against 1.4.8, although it may apply to earlier
releases, and to other branches.

The latest stable OpenAFS release is always available from
http://www.openafs.org/release/latest.html

This announcement and code patches related to it may be found on the
OpenAFS security advisory page at:

     http://www.openafs.org/security/

The main OpenAFS web page is at:

     http://www.openafs.org/


ACKNOWLEDGEMENTS
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

This issue was identified by Simon Wilkinson, with assistance from
Derrick Brashear and Jeffrey Altman.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFJ2oH+qWndc26pXmcRAga0AKCVMLJoV7YKI3tYUONLYIj9o2BsdgCg1k6f
tDiBvB5eVMaCn+BWbF7v4fU=3D
=3DKE+j
-----END PGP SIGNATURE-----