| Summary: | openafs new security issue CVE-2017-17432 (fixed in 1.6.22) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Thomas Backlund <tmb> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | openafs | CVE: | |
| Status comment: | |||
|
Description
Thomas Backlund
2017-12-16 11:41:43 CET
Debian has issued an advisory on December 17: https://www.debian.org/security/2017/dsa-4067 It was discovered that malformed jumbogram packets could result in denial of service against OpenAFS (CVE-2017-17432). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17432 https://www.openafs.org/pages/security/OPENAFS-SA-2017-001.txt https://dl.openafs.org/dl/1.6.21/RELNOTES-1.6.21 https://dl.openafs.org/dl/1.6.22/RELNOTES-1.6.22 Mageia 5 is also affected. Component:
RPM Packages =>
Security
advisory, added to svn:
type: security
subject: Updated openafs packages fixes security vulnerability
CVE:
- CVE-2017-17432
src:
6:
core:
- openafs-1.6.22-1.mga6
description: |
This update provides an update to openafs 1.6.22, fixing the following
security issue:
It was discovered that malformed jumbogram packets could result in denial
of service against OpenAFS (CVE-2017-17432).
It also adds support for 4.14 series kernels.
references:
- https://bugs.mageia.org/show_bug.cgi?id=22209
- https://www.openafs.org/pages/security/OPENAFS-SA-2017-001.txt
- https://dl.openafs.org/dl/1.6.21/RELNOTES-1.6.21
- https://dl.openafs.org/dl/1.6.22/RELNOTES-1.6.22Keywords:
(none) =>
advisory MGA6-32 on Dell Latitude D600 MATE
No installation issues.
This laptop has no space to install a real file system, so I tried some commands
# afsio help
afsio: Commands are:
append append to a file in AFS
apropos search by help text
fidappend append to a file in AFS
fidlock lock by FID a file from AFS
fidread read on a non AFS-client a file from AFS
fidunlock unlock by FID a file from AFS
fidwrite write a file into AFS
help get help on commands
lock lock a file in AFS
read read a file from AFS
unlock unlock a file in AFS
version show version
write write a file into AFS
# cmdebug -help
Usage: cmdebug -servers <server machine> [-port <IP port>] [-long] [-refcounts] [-callbacks] [-ctime] [-addrs] [-cache] [-cellservdb] [-help]
Where: -long print all info
-refcounts print only cache entries with positive reference counts
-callbacks print only cache entries with callbacks
-ctime print human readable expiration time
-addrs print only host interfaces
-cache print only cache configuration
-cellservdb print only cellservdb info
# systemctl -l start openafs-server
# systemctl -l status openafs-server
● openafs-server.service - OpenAFS Server Service
Loaded: loaded (/usr/lib/systemd/system/openafs-server.service; enabled; vendor preset: enabled)
Active: active (running) since wo 2017-12-27 15:22:29 CET; 3s ago
Main PID: 20723 (bosserver)
CGroup: /system.slice/openafs-server.service
└─20723 /usr/sbin/bosserver -nofork
dec 27 15:22:29 mach6.hviaene.thuis systemd[1]: Started OpenAFS Server Service.
# systemctl start openafs-client
Job for openafs-client.service failed because the control process exited with error code.
See "systemctl status openafs-client.service" and "journalctl -xe" for details.
[root@mach6 ~]# systemctl -l status openafs-client
● openafs-client.service - OpenAFS Client Service
Loaded: loaded (/usr/lib/systemd/system/openafs-client.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since wo 2017-12-27 16:01:31 CET; 8s ago
Process: 23909 ExecStartPre=/sbin/modprobe libafs (code=exited, status=1/FAILURE)
Process: 23904 ExecStartPre=/bin/chmod 0644 /etc/openafs/CellServDB (code=exited, status=0/SUCCESS)
Process: 23903 ExecStartPre=/bin/sed -n w/etc/openafs/CellServDB /etc/openafs/CellServDB.local /etc/openafs/CellServ
dec 27 16:01:31 mach6.hviaene.thuis systemd[1]: Starting OpenAFS Client Service...
dec 27 16:01:31 mach6.hviaene.thuis modprobe[23909]: modprobe: FATAL: Module libafs not found in directory /lib/module
dec 27 16:01:31 mach6.hviaene.thuis systemd[1]: openafs-client.service: Control process exited, code=exited status=1
dec 27 16:01:31 mach6.hviaene.thuis systemd[1]: Failed to start OpenAFS Client Service.
dec 27 16:01:31 mach6.hviaene.thuis systemd[1]: openafs-client.service: Unit entered failed state.
dec 27 16:01:31 mach6.hviaene.thuis systemd[1]: openafs-client.service: Failed with result 'exit-code'.
I don't understand this "module not found" unless that one is in the devel packages???CC:
(none) =>
herman.viaene
David Walser
2018-01-03 22:36:51 CET
Severity:
normal =>
major Having a look at this for x86_64. I had created an AFS filesystem ages ago but need to go back to the beginning and study the OpenAFS User Guide http://docs.openafs.org/UserGuide/. Herman's report will be valuable. CC:
(none) =>
tarazed25 Mageia 6 :: x86_64
Installed the updates as listed. Noted that the mount point /afs was created automatically.
The manual states that both client and server can operate on the same machine so I started both services:
# systemctl enable openafs-server.service
# systemctl start openafs-server.service
# systemctl enable openafs-client.service
# systemctl start openafs-client.service
Both running OK.
$ ls /afs
acm-csuf.org/ laroia.net/
acm.jhu.edu/ lcp.nrl.navy.mil/
.....................................
Tried to write a file to /afs but foundered badly.
# afsio help write
afsio write: write a file into AFS
Usage: afsio write -file <AFS-filename> [-cell <cellname>] [-verbose] [-md5] [-force] [-synthesize <create data pattern of specified length instead reading from stdin>] [-realm <REALMNAME>] [-help]
Where: -md5 calculate md5 checksum
-force overwrite existing file
$ afsio write -file /afs/rendir.rb
Segmentation fault (core dumped)
$ cp rendir.rb /afs
cp: cannot create regular file '/afs/rendir.rb': Read-only file system
The manual states:
Note: You can use AFS commands only on files in the AFS filespace or the local directories that are links to the AFS filespace.
So the question is, how do you place files in the AFS filespace? This will take some time to figure out.
<quote>
Under the /afs root directory are subdirectories created by your system administrator, including your home directory.
</quote>
The existing subdirectories are all links to participating sites which would imply that there needs to be something similar for this site, but what? The 'readonly' implies that some system service function needs to be employed to extend this list.
Baffled.
Found some old reports on this machine which give something to follow. No apologies for all the details. This is a big subject and I can only scratch the surface. $ uname -r 4.14.10-1.mga6 $ cd /etc/openafs $ ll -rw-r--r-- 1 root root 10 Jan 5 12:03 bosserver.rxbind -rw-r--r-- 1 root root 31 Dec 16 02:01 cacheinfo -rw-r--r-- 1 root root 37197 Jan 5 12:36 CellServDB -rw-r--r-- 1 root root 37197 Dec 16 02:01 CellServDB.dist -rw-r--r-- 1 root root 0 Jan 5 11:46 CellServDB.local drwxr-xr-x 2 root root 4096 Jan 5 12:03 server/ -rw-r--r-- 1 root root 12 Dec 16 02:01 ThisCell Port 7001 is mentioned so made sure that 7001/udp was opened via Shorewall. This indicates that the database has been backed up. Let's do it explicitly: $ su # wget http://dl.central.org/dl/cellservdb/CellServDB --2018-01-05 16:47:20-- http://dl.central.org/dl/cellservdb/CellServDB Resolving dl.central.org... 128.2.13.212 Connecting to dl.central.org|128.2.13.212|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 37197 (36K) Saving to: ‘CellServDB.1’ CellServDB.1 100%[===================>] 36.33K --.-KB/s in 0.1s 2018-01-05 16:47:21 (281 KB/s) - ‘CellServDB.1’ saved [37197/37197] # echo grand.central.org > /etc/openafs/ThisCell # df /var/cache/openafs Filesystem Size Used Avail Use% Mounted on /dev/sda16 34G 15G 18G 47% / # df -h | grep -i afs AFS 2.0T 0 2.0T 0% /afs # df -h | grep sda16 /dev/sda16 34G 15G 18G 47% / Allocated 50% of available space to the cache: # echo "/afs:/var/cache/openafs:9437184" > /etc/openafs/cacheinfo Configured OpenAFS manager: # sed < ${f} -e s/^AFSD_ARGS=/#AFSD_ARGS=/ -e s/^$/AFSD_ARGS="-dynroot -fakestat -afsdb -stat 2000 -dcache 800 -daemons 3 -volumes 70 -nosettime"/ > ${f}+ # mv -f ${f} /tmp/ && mv ${f}+ ${f} # lsmod | grep libafs libafs 888832 2 # systemctl restart openafs-client.service Checked status and all was OK. # cat cacheinfo /afs:/var/cache/openafs:9437184 # tail CellServDB 155.198.63.148 #icafs2.cc.ic.ac.uk 155.198.63.149 #icafs1.cc.ic.ac.uk >hep.man.ac.uk #Manchester HEP 194.36.2.3 #afs1.hep.man.ac.uk 194.36.2.4 #afs2.hep.man.ac.uk 194.36.2.5 #afs3.hep.man.ac.uk >tlabs.ac.za #iThemba LABS Cell 196.24.232.1 #afs01.tlabs.ac.za 196.24.232.2 #afs02.tlabs.ac.za 196.24.232.3 #afs03.tlabs.ac.za This is about as far as I can go with this update. The system is up and ready for use, but that is another chapter. Giving this a tentative OK.
Len Lawrence
2018-01-05 18:23:40 CET
Whiteboard:
(none) =>
MGA6-64-OK Thanks Len, Validating the update. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0065.html Resolution:
(none) =>
FIXED |