[OpenAFS-announce] OpenAFS Security Advisory 2014-0001

Simon Wilkinson openafs-info@openafs.org
Wed, 9 Apr 2014 13:09:14 +0100 

Topic: Denial of service attack against OpenAFS fileserver processes
      CVE-2014-0159

Issued:		14-April-2014
Last Update:    14-April-2014
Affected:	OpenAFS file servers
		running versions 1.4.8 thru 1.6.6

An attacker with the ability to connect to an OpenAFS fileserver can
trigger a buffer overflow, crashing the server.

Clients are not affected.

SUMMARY
=======

The GetStatistics64 remote procedure call (RPC) was introduced in
OpenAFS 1.4.8 as part of the support for fileserver partitions larger
than 2 TiB. The GetStatistics64 RPC is used by remote administrative
programs to retrieve statistical information about fileservers. The
GetStatistics64 RPC requests do not require authentication.

A bug has been discovered in the GetStatistics64 RPC which can trigger a
fileserver crash.  The version argument of the GetStatistics64 RPC is
used to determine how much memory is allocated for the RPC reply.
However the range of this argument is not validated, allowing an
attacker to cause insufficient memory to be allocated for the
statistical information reply buffer.


IMPACT
======

By sending an unauthenticated request for fileserver statistical
information, it is possible to crash a file server running the
affected code.

No publicly available exploits are currently known.


AFFECTED SOFTWARE
=================

All releases of OpenAFS 1.4.8 to (and including) 1.6.6


FIXES
=====

The OpenAFS project recommends that administrators upgrade to OpenAFS version
1.6.7 or newer.

For those sites unable, or unwilling, to upgrade a patch which resolves this
issue is available directly from:

  http://www.openafs.org/security/openafs-sa-2014-001.patch

Note that this patch is against 1.6.6.

The latest stable OpenAFS release is always available from
http://www.openafs.org/release/latest.html

This announcement and code patches related to it may be found on the
OpenAFS security advisory page at:

  http://www.openafs.org/security/

The main OpenAFS web page is at:

  http://www.openafs.org/


ACKNOWLEDGEMENTS
================

This issue was identified by Michael Meffie.