[OpenAFS-announce] OpenAFS Security Advisory 2013-0004
Simon Wilkinson
openafs-info@openafs.org
Wed, 24 Jul 2013 15:05:53 +0100
OpenAFS Security Advisory 2013-0004
Topic: vos -encrypt doesn't encrypt connection data
CVE-2013-4135
Issued:
Last Updated:
Affected: All OpenAFS clients
The -encrypt option to the 'vos' volume management command should cause
it to encrypt all data between client and server. However, in versions =
of
OpenAFS later than 1.6.0, it has no effect, and data is transmitted with
integrity protection only. In all versions of OpenAFS, vos -encrypt has
no effect when combined with the -localauth option.
IMPACT
=3D=3D=3D=3D=3D=3D
Information which should be encrypted on the wire is only integrity
protected. An attacker may read RPC's initiated by the 'vos' command
which the administrator expected to remain private.
AFFECTED SOFTWARE
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
All current releases of OpenAFS.
FIXES
=3D=3D=3D=3D=3D
The OpenAFS project recommends that administrators upgrade to OpenAFS =
1.6.5
or later. For those sites unable, or unwilling, to upgrade to the 1.6 =
series,=20
a final release in the 1.4 series, 1.4.15, is provided.
ACKNOWLEDGMENTS
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
This issue was identified independently by Chaskiel M Grundman and =
Michael
Meffie. Patches were provided by Michael Meffie.