[OpenAFS-announce] OpenAFS Security Advisory 2011-001

Derrick J Brashear openafs-info@openafs.org
Wed, 23 Feb 2011 12:25:26 -0500 (EST) 

A signed version of this advisory is not yet available due to factors 
beyond our control. When possible a signature from the OpenAFS security 
officer will be added and the advisory replaced on the OpenAFS web site.

Topic: Denial of service attack against Rx server processes
        CVE-2011-0430

Issued:		23-Feb-2011
Last Update:    23-Feb-2011
Affected:	OpenAFS servers
 		running versions 1.2.8 thru 1.4.12.1 & 1.5.0 thru 1.5.74

An attacker with the ability to connect to an Rx server can trigger a double
free, crashing the server. Clients are not affected.

SUMMARY
=======

AFS uses Heimdal Kerberos 5 libraries to support authentication tokens
including a limited subset of a Kerberos 5 ticket. Due to a bug in Heimdal
which could cause a double-free to occur in some circumstances, it is possible
to crash an Rx server which verifies tokens meeting certain criteria thus
triggering this bug, leading to a denial of service. Kerberos 5 is not
required to be configured for this defect to be exploitable.

As AFS clients do not provide an encrypted callback channel, no client
software is affected; Issues are present only in AFS servers.

IMPACT
======

By sending authenticated Rx traffic using a constructed bad ticket,
it is possible to crash an Rx server running the affected code.

No publicly available exploits are currently known.

AFFECTED SOFTWARE
=================

All releases of OpenAFS 1.2.8 to (and including) 1.4.12.1
All releases of OpenAFS 1.5.0 to 1.5.74

Contrary to the erroneous CVE, 1.4.14 is NOT affected.

FIXES
=====

The OpenAFS project recommends that administrators upgrade to OpenAFS version
1.4.14 or newer, or as appropriate for people testing features in the OpenAFS
1.5 series, OpenAFS version 1.5.75 or newer.

For those sites unable, or unwilling, to upgrade a patch which resolves this
issue is available directly from
     http://www.openafs.org/security/rxkad-asn1-null-free.patch
The corresponding PGP signature is available from
     http://www.openafs.org/security/rxkad-asn1-null-free.sig

Note that this patch is against 1.4.12, although it may apply to earlier 
releases. Patches for 1.5 and HEAD are available in git, as commit
582878a75858a341f674f833609f08b6d3bf839a for the OpenAFS 1.5 series.

The latest stable OpenAFS release is always available from 
http://www.openafs.org/release/latest.html

This announcement and code patches related to it may be found on the
OpenAFS security advisory page at:

     http://www.openafs.org/security/

The main OpenAFS web page is at:

     http://www.openafs.org/


ACKNOWLEDGEMENTS
================

This issue was identified by Andrew Deason. The final version of the
patch that is being distributed in OpenAFS releases is from Heimdal.