Bug 10528 - nfs-utils new security issue CVE-2013-1923
: nfs-utils new security issue CVE-2013-1923
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/554421/
: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-06-14 18:04 CEST by David Walser
Modified: 2014-05-08 18:07 CEST (History)
4 users (show)

See Also:
Source RPM: nfs-utils-1.2.7-3.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-06-14 18:04:18 CEST
OpenSuSE has issued an advisory today (June 14):
http://lists.opensuse.org/opensuse-updates/2013-06/msg00146.html

According to RedHat, this was fixed upstream in 1.2.8 (so Cauldron's OK).
The RedHat bug has a link to the upstream commit to fix this:
https://bugzilla.redhat.com/show_bug.cgi?id=948072

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-06-15 10:51:59 CEST
fixed packages has been submitted.
Comment 2 David Walser 2013-06-15 18:01:02 CEST
Thanks Oden!

Advisory:
========================

Updated nfs-utils packages fix security vulnerability:

It was reported that rpc.gssd in nfs-utils is vulnerable to DNS spoofing due
to it depending on PTR resolution for GSSAPI authentication. Because of this,
if a user where able to poison DNS to a victim's computer, they would be able
to trick rpc.gssd into talking to another server (perhaps with less security)
than the intended server (with stricter security). If the victim has write
access to the second (less secure) server, and the attacker has read access
(when they normally might not on the secure server), the victim could write
files to that server, which the attacker could obtain (when normally they
would not be able to). To the victim this is transparent because the victim's
computer asks the KDC for a ticket to the second server due to reverse DNS
resolution; in this case Krb5 authentication does not fail because the victim
is talking to the "correct" server (CVE-2013-1923).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1923
http://lists.opensuse.org/opensuse-updates/2013-06/msg00146.html
========================

Updated packages in core/updates_testing:
========================
nfs-utils-1.2.5-1.1.mga2
nfs-utils-clients-1.2.5-1.1.mga2
nfs-utils-1.2.7-3.1.mga3

from SRPMS:
nfs-utils-1.2.5-1.1.mga2.src.rpm
nfs-utils-1.2.7-3.1.mga3.src.rpm
Comment 3 David Walser 2013-06-15 19:23:17 CEST
Oden, the following note came from Thierry Vignaud on the dev ml:

BTW, speaking security, this upstream tarball contains pre-compiled .o
objects...
Idem for cauldron's 1.2.8
This upstream sucks...
Comment 4 Dave Hodgins 2013-06-17 02:31:42 CEST
No poc, so just testing that it works, using mcc to create and access shares.

Testing complete on Mageia 2 and 3, i586, and x86_64.
For each one, setup a share, and mounted the shares from the other three.

Could someone from the sysadmin team push the srpm
nfs-utils-1.2.7-3.1.mga3.src.rpm
from Mageia 3 Core Updates Testing to Core Updates and the srpm
nfs-utils-1.2.5-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated nfs-utils packages fix security vulnerability:

It was reported that rpc.gssd in nfs-utils is vulnerable to DNS spoofing due
to it depending on PTR resolution for GSSAPI authentication. Because of this,
if a user where able to poison DNS to a victim's computer, they would be able
to trick rpc.gssd into talking to another server (perhaps with less security)
than the intended server (with stricter security). If the victim has write
access to the second (less secure) server, and the attacker has read access
(when they normally might not on the secure server), the victim could write
files to that server, which the attacker could obtain (when normally they
would not be able to). To the victim this is transparent because the victim's
computer asks the KDC for a ticket to the second server due to reverse DNS
resolution; in this case Krb5 authentication does not fail because the victim
is talking to the "correct" server (CVE-2013-1923).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1923
http://lists.opensuse.org/opensuse-updates/2013-06/msg00146.html

https://bugs.mageia.org/show_bug.cgi?id=10528
Comment 5 Oden Eriksson 2013-06-17 10:20:00 CEST
Yes I saw this too, but just tested to build 1.2.8 on mga3 and all objects and binaries are recompiled and overwritten.

However it could be nice with some checks for these things in the bs.

In this case the maintainer or the person bumping 1.2.7 -> 1.2.8 should had noticed that the tar ball was much larger.
Comment 6 Dave Hodgins 2013-06-19 03:03:10 CEST
Advisory ready to push.
Comment 7 Nicolas Vigier 2013-06-19 12:40:20 CEST
http://advisories.mageia.org/MGASA-2013-0178.html

Note You need to log in before you can comment on or make changes to this bug.