[OpenAFS] OpenAFS Security Releases 1.8.2, 1.6.23 available -->
butc & backup security update question
Thomas Otto
thomas.otto@uni-jena.de
Thu, 18 Oct 2018 11:39:31 +0200
This is a cryptographically signed message in MIME format.
--------------ms050200080008000109020000
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Hello,
my backup via butc is broken and I am not able to get an actual butc bina=
ry
for Solaris 10 sparc (sun4x_510).
The last binary to download is 1.6.10 and my tries to compile the source =
of 1.6.23
all fails or the result isn't valid (core dumps) :(
Is there anyone who can send me the 1.6.23 butc binary for Solaris 10 on =
sparc?
My binary is significant less then the others
-rwxr-xr-x 1 root root 987288 Oct 17 13:28 butc-1.6.23
-rwxr-xr-x 1 root root 2819684 Oct 15 2014 butc-1.6.10
-rwxr-xr-x 1 root root 2808324 Apr 10 2014 butc-1.6.7
And core dumps ...
bash-3.2# /usr/afs/backup/butc -port 0 -debuglevel 2 -localauth
Will dump to a file
Tape mount callout routine is /usr/afs/backup/mount-afs-backup-file.sh
Warning: Unrecognized configuration parameter: UMOUNT /usr/afs/backup/mou=
nt-afs-backup-file.sh
Operator queries are disabled
Segmentation Fault (core dumped)
Best regards
Thomas Otto
On 9/13/18 8:37 PM, Jeffrey Altman wrote:
> It is unfortunate that the announcement e-mail included neither a URL t=
o
> the https://www.openafs.org/security/ page nor a link to the individual=
> security advisory text files:
>=20
> https://www.openafs.org/pages/security/OPENAFS-SA-2018-001.txt
> https://www.openafs.org/pages/security/OPENAFS-SA-2018-002.txt
> https://www.openafs.org/pages/security/OPENAFS-SA-2018-003.txt
>=20
> In the case of OPENAFS-SA-2018-001.txt, both 'butc' and 'backup' (or
> 'afsbackup' as it is installed on some systems) must be at least:
>=20
> * AuriStorFS v0.175
> * OpenAFS 1.8.2
> * OpenAFS 1.6.23
>=20
> The version of the vlserver, buserver and volserver does not matter.
> Those services already supported authenticated and potentially encrypte=
d
> connections.
>=20
> The underlying cause of the incompatibility is that the 'butc' service
> would only accept unauthenticated (rxnull) connections and therefore th=
e
> 'backup' command could only create unauthenticated (rxnull) connections=
> even if the 'backup' command was executed with -localauth.
>=20
> As of the releases above, the 'butc' service (by default) will not only=
> accept authenticated connections but will require that the authenticate=
d
> identity be a super-user as reported by the butc host's "bos listusers"=
> command.
>=20
> There is no incompatibility with vlserver, buserver and volserver
> because those services already accepted authenticated connections and
> required that authenticated identities be super-users in order to
> create, read, modify, or delete sensitive information.
>=20
> The privilege escalation is due to 'butc' accepting unauthenticated
> requests and executing them using a super-user identity when contacting=
> the vlserver, buserver, and volserver.
>=20
> I cannot stress enough how important it is for sites that are running
> the AFS backup suite to immediately:
>=20
> . upgrade all instances of 'butc' and 'backup'.
>=20
> . firewall the 'butc' ports from all machines except those from
> which 'backup' is expected to be issued from. The butc port is
> (7021 + butc port offset)/udp. The default offset is 0.
>=20
> Otherwise, an anonymous attacker can read, alter or destroy the content=
> of any volume in the cell as well as any backups that do not require
> manual intervention by a system administrator to gain access to.
>=20
> AuriStor coordinated the release of these changes with the OpenAFS
> Security officer(s) because this privilege escalation is not only
> remotely exploitable but compromises the security and integrity of all
> data stored within an AFS cell that operates a Backup Tape Controller
> (butc) instance.
>=20
> The AuriStorFS v0.175 release extends the AuriStorFS security model to
> backup with the use of AES256-CTS-HMAC-SHA1-96 wire encryption for all
> volume data communications and the use of volume security policies to
> ensure that volumes cannot be restored to a fileserver with an
> incompatible security policy.
>=20
> Jeffrey Altman
> AuriStor, Inc.
>=20
>=20
> On 9/13/2018 3:12 AM, Giovanni Bracco wrote:
>> Hello everybody!
>>
>> I have read about the butc & backup security update.
>>
>> We run daily the AFS backup and I would like to understand if I need
>> just to update the backup server with the new butc/backup modules or I=
>> need also to update all our file servers in order to match the new
>> security improvements connected to backup.
>>
>> Giovanni
>>
>> On 11/09/2018 21:04, Benjamin Kaduk wrote:
>>>
>>> OPENAFS-SA-2018-001 only affects deployments that run the 'butc' util=
ity
>>> as part of the in-tree backup system, but is of high severity for
>>> those sites which are affected -- an anonymous attacker could replace=
>>> entire volumes with attacker-controlled contents.
>>>
>>> The changes to fix OPENAFS-SA-2018-001 require behavior change in bot=
h =20
>>> butc(8) and backup(8) to use authenticated connections; old and new
>>> versions of these utilities will not interoperate absent specific
>>> configuration of the new tool to use the old (insecure) behavior.
>>> These changes also are expected to cause backup(8)'s interactive mode=
>>> to be limited to only butc connections requiring (or not requiring)
>>> authentication within a given interactive session, based on the initi=
al
>>> arguments selected.
>>>
>>> Bug reports should be filed to openafs-bugs@openafs.org.
>>>
>>> Benjamin Kaduk
>>> for the OpenAFS Guardians
>>>
>>
>=20
>=20
--=20
Thomas Otto, Dipl.-Inf.
Friedrich-Schiller-Universit=C3=A4t Jena
Rechenzentrum
Am Johannisfriedhof 2
D-07743 Jena
Tel.: 03641/9-40530
Fax.: 03641/9-40630
--------------ms050200080008000109020000
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
EKkwggUSMIID+qADAgECAgkA4wvV+K8l2YEwDQYJKoZIhvcNAQELBQAwgYIxCzAJBgNVBAYT
AkRFMSswKQYDVQQKDCJULVN5c3RlbXMgRW50ZXJwcmlzZSBTZXJ2aWNlcyBHbWJIMR8wHQYD
VQQLDBZULVN5c3RlbXMgVHJ1c3QgQ2VudGVyMSUwIwYDVQQDDBxULVRlbGVTZWMgR2xvYmFs
Um9vdCBDbGFzcyAyMB4XDTE2MDIyMjEzMzgyMloXDTMxMDIyMjIzNTk1OVowgZUxCzAJBgNV
BAYTAkRFMUUwQwYDVQQKEzxWZXJlaW4genVyIEZvZXJkZXJ1bmcgZWluZXMgRGV1dHNjaGVu
IEZvcnNjaHVuZ3NuZXR6ZXMgZS4gVi4xEDAOBgNVBAsTB0RGTi1QS0kxLTArBgNVBAMTJERG
Ti1WZXJlaW4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgMjCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMtg1/9moUHN0vqHl4pzq5lN6mc5WqFggEcVToyVsuXPztNXS43O+FZs
FVV2B+pG/cgDRWM+cNSrVICxI5y+NyipCf8FXRgPxJiZN7Mg9mZ4F4fCnQ7MSjLnFp2uDo0p
eQcAIFTcFV9Kltd4tjTTwXS1nem/wHdN6r1ZB+BaL2w8pQDcNb1lDY9/Mm3yWmpLYgHurDg0
WUU2SQXaeMpqbVvAgWsRzNI8qIv4cRrKO+KA3Ra0Z3qLNupOkSk9s1FcragMvp0049ENF4N1
xDkesJQLEvHVaY4l9Lg9K7/AjsMeO6W/VRCrKq4Xl14zzsjz9AkH4wKGMUZrAcUQDBHHWekC
AwEAAaOCAXQwggFwMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUk+PYMiba1fFKpZFK4OpL
4qIMz+EwHwYDVR0jBBgwFoAUv1kgNgB5oKAia4zV8mHSuCzLgkowEgYDVR0TAQH/BAgwBgEB
/wIBAjAzBgNVHSAELDAqMA8GDSsGAQQBga0hgiwBAQQwDQYLKwYBBAGBrSGCLB4wCAYGZ4EM
AQICMEwGA1UdHwRFMEMwQaA/oD2GO2h0dHA6Ly9wa2kwMzM2LnRlbGVzZWMuZGUvcmwvVGVs
ZVNlY19HbG9iYWxSb290X0NsYXNzXzIuY3JsMIGGBggrBgEFBQcBAQR6MHgwLAYIKwYBBQUH
MAGGIGh0dHA6Ly9vY3NwMDMzNi50ZWxlc2VjLmRlL29jc3ByMEgGCCsGAQUFBzAChjxodHRw
Oi8vcGtpMDMzNi50ZWxlc2VjLmRlL2NydC9UZWxlU2VjX0dsb2JhbFJvb3RfQ2xhc3NfMi5j
ZXIwDQYJKoZIhvcNAQELBQADggEBAIcL/z4Cm2XIVi3WO5qYi3FP2ropqiH5Ri71sqQPrhE4
eTizDnS6dl2e6BiClmLbTDPo3flq3zK9LExHYFV/53RrtCyD2HlrtrdNUAtmB7Xts5et6u5/
MOaZ/SLick0+hFvu+c+Z6n/XUjkurJgARH5pO7917tALOxrN5fcPImxHhPalR6D90Bo0fa3S
PXez7vTXTf/D6OWST1k+kEcQSrCFWMBvf/iu7QhCnh7U3xQuTY+8npTD5+32GPg8SecmqKc2
2CzeIs2LgtjZeOJVEqM7h0S2EQvVDFKvaYwPBt/QolOLV5h7z/0HJPT8vcP9SpIClxvyt7bP
ZYoaorVyGTkwggWsMIIElKADAgECAgcbY7rQHiw9MA0GCSqGSIb3DQEBCwUAMIGVMQswCQYD
VQQGEwJERTFFMEMGA1UEChM8VmVyZWluIHp1ciBGb2VyZGVydW5nIGVpbmVzIERldXRzY2hl
biBGb3JzY2h1bmdzbmV0emVzIGUuIFYuMRAwDgYDVQQLEwdERk4tUEtJMS0wKwYDVQQDEyRE
Rk4tVmVyZWluIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IDIwHhcNMTYwNTI0MTEzODQwWhcN
MzEwMjIyMjM1OTU5WjCBjTELMAkGA1UEBhMCREUxRTBDBgNVBAoMPFZlcmVpbiB6dXIgRm9l
cmRlcnVuZyBlaW5lcyBEZXV0c2NoZW4gRm9yc2NodW5nc25ldHplcyBlLiBWLjEQMA4GA1UE
CwwHREZOLVBLSTElMCMGA1UEAwwcREZOLVZlcmVpbiBHbG9iYWwgSXNzdWluZyBDQTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ07eRxH3h+Gy8Zp1xCeOdfZojDbchwFfylf
S2jxrRnWTOFrG7ELf6Gr4HuLi9gtzm6IOhDuV+UefwRRNuu6cG1joL6WLkDh0YNMZj0cZGnl
m6Stcq5oOVGHecwX064vXWNxSzl660Knl5BpBb+Q/6RAcL0D57+eGIgfn5mITQ5HjUhfZZkQ
0tkqSe3BuS0dnxLLFdM/fx5ULzquk1enfnjK1UriGuXtQX1TX8izKvWKMKztFwUkP7agCwf9
TRqaA1KgNpzeJIdl5Of6x5ZzJBTN0OgbaJ4YWa52fvfRCng8h0uwN89Tyjo4EPPLR22MZD08
WkVKusqAfLjz56dMTM0CAwEAAaOCAgUwggIBMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0P
AQH/BAQDAgEGMCkGA1UdIAQiMCAwDQYLKwYBBAGBrSGCLB4wDwYNKwYBBAGBrSGCLAEBBDAd
BgNVHQ4EFgQUazqYi/nyU4na4K2yMh4JH+iqO3QwHwYDVR0jBBgwFoAUk+PYMiba1fFKpZFK
4OpL4qIMz+EwgY8GA1UdHwSBhzCBhDBAoD6gPIY6aHR0cDovL2NkcDEucGNhLmRmbi5kZS9n
bG9iYWwtcm9vdC1nMi1jYS9wdWIvY3JsL2NhY3JsLmNybDBAoD6gPIY6aHR0cDovL2NkcDIu
cGNhLmRmbi5kZS9nbG9iYWwtcm9vdC1nMi1jYS9wdWIvY3JsL2NhY3JsLmNybDCB3QYIKwYB
BQUHAQEEgdAwgc0wMwYIKwYBBQUHMAGGJ2h0dHA6Ly9vY3NwLnBjYS5kZm4uZGUvT0NTUC1T
ZXJ2ZXIvT0NTUDBKBggrBgEFBQcwAoY+aHR0cDovL2NkcDEucGNhLmRmbi5kZS9nbG9iYWwt
cm9vdC1nMi1jYS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwSgYIKwYBBQUHMAKGPmh0dHA6Ly9j
ZHAyLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0
MA0GCSqGSIb3DQEBCwUAA4IBAQCBeEWkTqR/DlXwCbFqPnjMaDWpHPOVnj/z+N9rOHeJLI21
rT7H8pTNoAauusyosa0zCLYkhmI2THhuUPDVbmCNT1IxQ5dGdfBi5G5mUcFCMWdQ5UnnOR7L
n8qGSN4IFP8VSytmm6A4nwDO/afr0X9XLchMX9wQEZc+lgQCXISoKTlslPwQkgZ7nu7YRrQb
tQMMONncsKk/cQYLsgMHM8KNSGMlJTx6e1du94oFOO+4oK4v9NsH1VuEGMGpuEvObJAaguS5
Pfp38dIfMwK/U+d2+dwmJUFvL6Yb+qQTkPp8ftkLYF3sv8pBoGH7EUkp2KgtdRXYShjqFu9V
NCIaE40GMIIF3zCCBMegAwIBAgIMHUt50i0fhNOphJeuMA0GCSqGSIb3DQEBCwUAMIGNMQsw
CQYDVQQGEwJERTFFMEMGA1UECgw8VmVyZWluIHp1ciBGb2VyZGVydW5nIGVpbmVzIERldXRz
Y2hlbiBGb3JzY2h1bmdzbmV0emVzIGUuIFYuMRAwDgYDVQQLDAdERk4tUEtJMSUwIwYDVQQD
DBxERk4tVmVyZWluIEdsb2JhbCBJc3N1aW5nIENBMB4XDTE3MDUyOTEwNDczMVoXDTIwMDUy
ODEwNDczMVowdzELMAkGA1UEBhMCREUxLTArBgNVBAoMJEZyaWVkcmljaC1TY2hpbGxlci1V
bml2ZXJzaXRhZXQgSmVuYTEjMCEGA1UECwwaVW5pdmVyc2l0YWV0c3JlY2hlbnplbnRydW0x
FDASBgNVBAMMC1Rob21hcyBPdHRvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
00Bh5vsDe3Rtp0pS4Z8oET5tlEsBuPY5Mwyj+m3ErTnMO33+5v4QCV6/RaucQ+hX0P4XHk2w
r2RFaMk4hG8He+5Sdt5gXTRNMsNM2ldIpLu1vky3EuLIzLk7nf9O3nHwPWz0dCYwH45nS8sB
Z2UqktPm+sc7NrOzQMxhx7iTKG4iHMYOpKbAkqZ03VWpkERpAhf9/sfhkfSbDYgFNiI6zoHy
4o4pT1ru9Mw8uT9cdQm/+daAMKF9l0tagCoX57q4T+NWnV/czVPh5vAXi/3XHhxLZVilHiPq
FyR0k1K2dn6WfvK0d60uKS4X6bdCepEUjwaGvDQpF0/OxbGntgi+0QIDAQABo4ICUjCCAk4w
QAYDVR0gBDkwNzARBg8rBgEEAYGtIYIsAQEEAwUwEQYPKwYBBAGBrSGCLAIBBAMBMA8GDSsG
AQQBga0hgiwBAQQwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYB
BQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBQLJZKntqXwzKXDVDIIa6U+ptv0izAfBgNVHSME
GDAWgBRrOpiL+fJTidrgrbIyHgkf6Ko7dDAiBgNVHREEGzAZgRd0aG9tYXMub3R0b0B1bmkt
amVuYS5kZTCBjQYDVR0fBIGFMIGCMD+gPaA7hjlodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2Rm
bi1jYS1nbG9iYWwtZzIvcHViL2NybC9jYWNybC5jcmwwP6A9oDuGOWh0dHA6Ly9jZHAyLnBj
YS5kZm4uZGUvZGZuLWNhLWdsb2JhbC1nMi9wdWIvY3JsL2NhY3JsLmNybDCB2wYIKwYBBQUH
AQEEgc4wgcswMwYIKwYBBQUHMAGGJ2h0dHA6Ly9vY3NwLnBjYS5kZm4uZGUvT0NTUC1TZXJ2
ZXIvT0NTUDBJBggrBgEFBQcwAoY9aHR0cDovL2NkcDEucGNhLmRmbi5kZS9kZm4tY2EtZ2xv
YmFsLWcyL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDBJBggrBgEFBQcwAoY9aHR0cDovL2NkcDIu
cGNhLmRmbi5kZS9kZm4tY2EtZ2xvYmFsLWcyL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkq
hkiG9w0BAQsFAAOCAQEAKmPOKTweC/l5HXcu6jqM4V8DSG6OVG3x8eBopVtvY38t8ILew1lX
za5RGjV0hDGglJ1lUaD/zBbVTVZGL9ft21femwFdiIA17yp/JfeXA9rs1IPJ9Fs8HVBZccPr
BapPlR4K8Csh0lxAcGBek6xbm27C9nl/USI07gZcyYZVr0nC9/r6v2DaULkwNoE8uRKJzkHK
Sfo7C7p7gCQqLe7xJW3BryMrNeBT+HcSVRDrxAhKgQ2w9JaX3U188r2XBX1hgMoeB7ZOPKU+
i6hfjkGw/wha+wP39XrcXRFMt4rTjqIjVuGdqbbXp8TloOTWxHXo+ADu4i4Afq191sgg4INm
pDGCBAswggQHAgEBMIGeMIGNMQswCQYDVQQGEwJERTFFMEMGA1UECgw8VmVyZWluIHp1ciBG
b2VyZGVydW5nIGVpbmVzIERldXRzY2hlbiBGb3JzY2h1bmdzbmV0emVzIGUuIFYuMRAwDgYD
VQQLDAdERk4tUEtJMSUwIwYDVQQDDBxERk4tVmVyZWluIEdsb2JhbCBJc3N1aW5nIENBAgwd
S3nSLR+E06mEl64wDQYJYIZIAWUDBAIBBQCgggI9MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B
BwEwHAYJKoZIhvcNAQkFMQ8XDTE4MTAxODA5MzkzMVowLwYJKoZIhvcNAQkEMSIEILt4rFue
ghdZYCRbFPV/cwuPus8XZielxcZoOyFfen+4MGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUD
BAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcN
AwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwga8GCSsGAQQBgjcQBDGBoTCBnjCBjTEL
MAkGA1UEBhMCREUxRTBDBgNVBAoMPFZlcmVpbiB6dXIgRm9lcmRlcnVuZyBlaW5lcyBEZXV0
c2NoZW4gRm9yc2NodW5nc25ldHplcyBlLiBWLjEQMA4GA1UECwwHREZOLVBLSTElMCMGA1UE
AwwcREZOLVZlcmVpbiBHbG9iYWwgSXNzdWluZyBDQQIMHUt50i0fhNOphJeuMIGxBgsqhkiG
9w0BCRACCzGBoaCBnjCBjTELMAkGA1UEBhMCREUxRTBDBgNVBAoMPFZlcmVpbiB6dXIgRm9l
cmRlcnVuZyBlaW5lcyBEZXV0c2NoZW4gRm9yc2NodW5nc25ldHplcyBlLiBWLjEQMA4GA1UE
CwwHREZOLVBLSTElMCMGA1UEAwwcREZOLVZlcmVpbiBHbG9iYWwgSXNzdWluZyBDQQIMHUt5
0i0fhNOphJeuMA0GCSqGSIb3DQEBAQUABIIBAH08y82a1Hl7qk5j3pss9rVsRtsPxrTWCm8t
jOW4WCnhZq9EDKSa1p57V91Z7Sg+w4d6fxgzf4dkJ34r7DWYckYQn7yUeJaWvhuvKqM2orNE
TDlGBKqUujkXjFpvdjgAOc77P0nzOg3ypdJTnaYPz6g8LrlJJSOWvBt0nWDO0awan/Ve/llw
TY7AIae6fX3n9TdoPBhBRoDHd0gVmISCBrYnf0U7o24uR9psGbdKqMdKz5a4M8CPu2LWEkRH
6BLOUtA5rGFU8lqvEPiUqOuY9bHHk7wocNVGciiPZqCELTBJMDO2Y1DJClW+lgHwjif3Zows
CL3/HJuxZTlFrFPSaJwAAAAAAAA=
--------------ms050200080008000109020000--