Bug 22209 - openafs new security issue CVE-2017-17432 (fixed in 1.6.22)
Summary: openafs new security issue CVE-2017-17432 (fixed in 1.6.22)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-12-16 11:41 CET by Thomas Backlund
Modified: 2018-01-06 11:15 CET (History)
4 users (show)

See Also:
Source RPM: openafs
CVE:
Status comment:


Attachments

Description Thomas Backlund 2017-12-16 11:41:43 CET
Advisory:

This update provides an update to openafs 1.6.22 and adds support for 4.14 series kernels.


SRPMS:
openafs-1.6.22-1.mga6.src.rpm


i586:
dkms-libafs-1.6.22-1.mga6.noarch.rpm
libopenafs1-1.6.22-1.mga6.i586.rpm
libopenafs-devel-1.6.22-1.mga6.i586.rpm
libopenafs-static-devel-1.6.22-1.mga6.i586.rpm
openafs-1.6.22-1.mga6.i586.rpm
openafs-client-1.6.22-1.mga6.i586.rpm
openafs-doc-1.6.22-1.mga6.noarch.rpm
openafs-server-1.6.22-1.mga6.i586.rpm


x86_64:
dkms-libafs-1.6.22-1.mga6.noarch.rpm
lib64openafs1-1.6.22-1.mga6.x86_64.rpm
lib64openafs-devel-1.6.22-1.mga6.x86_64.rpm
lib64openafs-static-devel-1.6.22-1.mga6.x86_64.rpm
openafs-1.6.22-1.mga6.x86_64.rpm
openafs-client-1.6.22-1.mga6.x86_64.rpm
openafs-doc-1.6.22-1.mga6.noarch.rpm
openafs-server-1.6.22-1.mga6.x86_64.rpm
Comment 1 David Walser 2017-12-18 14:50:44 CET
Debian has issued an advisory on December 17:
https://www.debian.org/security/2017/dsa-4067

It was discovered that malformed jumbogram packets could result in denial of
service against OpenAFS (CVE-2017-17432).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17432
https://www.openafs.org/pages/security/OPENAFS-SA-2017-001.txt
https://dl.openafs.org/dl/1.6.21/RELNOTES-1.6.21
https://dl.openafs.org/dl/1.6.22/RELNOTES-1.6.22

Mageia 5 is also affected.

Component: RPM Packages => Security
QA Contact: (none) => security
Summary: 'update request: openafs 1.6.22 => openafs new security issue CVE-2017-17432 (fixed in 1.6.22)

Comment 2 Thomas Backlund 2017-12-22 14:44:01 CET
advisory, added to svn:

type: security
subject: Updated openafs packages fixes security vulnerability
CVE:
 - CVE-2017-17432
src:
  6:
   core:
     - openafs-1.6.22-1.mga6
description: |
  This update provides an update to openafs 1.6.22, fixing the following
  security issue:

  It was discovered that malformed jumbogram packets could result in denial
  of service against OpenAFS (CVE-2017-17432).

  It also adds support for 4.14 series kernels.

references:
 - https://bugs.mageia.org/show_bug.cgi?id=22209
 - https://www.openafs.org/pages/security/OPENAFS-SA-2017-001.txt
 - https://dl.openafs.org/dl/1.6.21/RELNOTES-1.6.21
 - https://dl.openafs.org/dl/1.6.22/RELNOTES-1.6.22

Keywords: (none) => advisory

Comment 3 Herman Viaene 2017-12-27 16:23:21 CET
MGA6-32 on Dell Latitude D600 MATE
No installation issues.
This laptop has no space to install a real file system, so I tried some commands
# afsio help
afsio: Commands are:
append          append to a file in AFS
apropos         search by help text
fidappend       append to a file in AFS
fidlock         lock by FID a file from AFS
fidread         read on a non AFS-client a file from AFS
fidunlock       unlock by FID a file from AFS
fidwrite        write a file into AFS
help            get help on commands
lock            lock a file in AFS
read            read a file from AFS
unlock          unlock a file in AFS
version         show version
write           write a file into AFS
# cmdebug -help
Usage: cmdebug -servers <server machine> [-port <IP port>] [-long] [-refcounts] [-callbacks] [-ctime] [-addrs] [-cache] [-cellservdb] [-help]
Where: -long        print all info
       -refcounts   print only cache entries with positive reference counts
       -callbacks   print only cache entries with callbacks
       -ctime       print human readable expiration time
       -addrs       print only host interfaces
       -cache       print only cache configuration
       -cellservdb  print only cellservdb info
# systemctl -l start openafs-server
# systemctl -l status openafs-server
● openafs-server.service - OpenAFS Server Service
   Loaded: loaded (/usr/lib/systemd/system/openafs-server.service; enabled; vendor preset: enabled)
   Active: active (running) since wo 2017-12-27 15:22:29 CET; 3s ago
 Main PID: 20723 (bosserver)
   CGroup: /system.slice/openafs-server.service
           └─20723 /usr/sbin/bosserver -nofork

dec 27 15:22:29 mach6.hviaene.thuis systemd[1]: Started OpenAFS Server Service.
# systemctl start openafs-client
Job for openafs-client.service failed because the control process exited with error code.
See "systemctl status openafs-client.service" and "journalctl -xe" for details.
[root@mach6 ~]# systemctl -l status openafs-client
● openafs-client.service - OpenAFS Client Service
   Loaded: loaded (/usr/lib/systemd/system/openafs-client.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since wo 2017-12-27 16:01:31 CET; 8s ago
  Process: 23909 ExecStartPre=/sbin/modprobe libafs (code=exited, status=1/FAILURE)
  Process: 23904 ExecStartPre=/bin/chmod 0644 /etc/openafs/CellServDB (code=exited, status=0/SUCCESS)
  Process: 23903 ExecStartPre=/bin/sed -n w/etc/openafs/CellServDB /etc/openafs/CellServDB.local /etc/openafs/CellServ

dec 27 16:01:31 mach6.hviaene.thuis systemd[1]: Starting OpenAFS Client Service...
dec 27 16:01:31 mach6.hviaene.thuis modprobe[23909]: modprobe: FATAL: Module libafs not found in directory /lib/module
dec 27 16:01:31 mach6.hviaene.thuis systemd[1]: openafs-client.service: Control process exited, code=exited status=1
dec 27 16:01:31 mach6.hviaene.thuis systemd[1]: Failed to start OpenAFS Client Service.
dec 27 16:01:31 mach6.hviaene.thuis systemd[1]: openafs-client.service: Unit entered failed state.
dec 27 16:01:31 mach6.hviaene.thuis systemd[1]: openafs-client.service: Failed with result 'exit-code'.
I don't understand this "module not found" unless that one is in the devel packages???

CC: (none) => herman.viaene

David Walser 2018-01-03 22:36:51 CET

Severity: normal => major

Comment 4 Len Lawrence 2018-01-05 12:57:13 CET
Having a look at this for x86_64.  I had created an AFS filesystem ages ago but need to go back to the beginning and study the OpenAFS User Guide http://docs.openafs.org/UserGuide/.  Herman's report will be valuable.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2018-01-05 14:13:47 CET
Mageia 6 :: x86_64

Installed the updates as listed.  Noted that the mount point /afs was created automatically.
The manual states that both client and server can operate on the same machine so I started both services:
# systemctl enable openafs-server.service
# systemctl start openafs-server.service
# systemctl enable openafs-client.service
# systemctl start openafs-client.service

Both running OK.
$ ls /afs
acm-csuf.org/                  laroia.net/
acm.jhu.edu/                   lcp.nrl.navy.mil/
.....................................

Tried to write a file to /afs but foundered badly.
# afsio help write
afsio write: write a file into AFS 
Usage: afsio write -file <AFS-filename> [-cell <cellname>] [-verbose] [-md5] [-force] [-synthesize <create data pattern of specified length instead reading from stdin>] [-realm <REALMNAME>] [-help]
Where: -md5    calculate md5 checksum
       -force  overwrite existing file

$ afsio write -file /afs/rendir.rb
Segmentation fault (core dumped)
$ cp rendir.rb /afs
cp: cannot create regular file '/afs/rendir.rb': Read-only file system

The manual states:
Note: 	You can use AFS commands only on files in the AFS filespace or the local directories that are links to the AFS filespace.
So the question is, how do you place files in the AFS filespace?  This will take some time to figure out.
<quote>
Under the /afs root directory are subdirectories created by your system administrator, including your home directory.
</quote>
The existing subdirectories are all links to participating sites which would imply that there needs to be something similar for this site, but what?  The 'readonly' implies that some system service function needs to be employed to extend this list.

Baffled.
Comment 6 Len Lawrence 2018-01-05 18:23:14 CET
Found some old reports on this machine which give something to follow.  No apologies for all the details.  This is a big subject and I can only scratch the surface.

$ uname -r
4.14.10-1.mga6
$ cd /etc/openafs
$ ll
-rw-r--r-- 1 root root    10 Jan  5 12:03 bosserver.rxbind
-rw-r--r-- 1 root root    31 Dec 16 02:01 cacheinfo
-rw-r--r-- 1 root root 37197 Jan  5 12:36 CellServDB
-rw-r--r-- 1 root root 37197 Dec 16 02:01 CellServDB.dist
-rw-r--r-- 1 root root     0 Jan  5 11:46 CellServDB.local
drwxr-xr-x 2 root root  4096 Jan  5 12:03 server/
-rw-r--r-- 1 root root    12 Dec 16 02:01 ThisCell

Port 7001 is mentioned so made sure that 7001/udp was opened via Shorewall.
This indicates that the database has been backed up.
Let's do it explicitly:
$ su
# wget http://dl.central.org/dl/cellservdb/CellServDB
--2018-01-05 16:47:20--  http://dl.central.org/dl/cellservdb/CellServDB
Resolving dl.central.org... 128.2.13.212
Connecting to dl.central.org|128.2.13.212|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 37197 (36K)
Saving to: ‘CellServDB.1’

CellServDB.1        100%[===================>]  36.33K  --.-KB/s    in 0.1s    

2018-01-05 16:47:21 (281 KB/s) - ‘CellServDB.1’ saved [37197/37197]
# echo grand.central.org > /etc/openafs/ThisCell
# df /var/cache/openafs
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda16       34G   15G   18G  47% /
# df -h | grep -i afs
AFS                        2.0T     0  2.0T   0% /afs
# df -h | grep sda16
/dev/sda16                  34G   15G   18G  47% /
Allocated 50% of available space to the cache:
# echo "/afs:/var/cache/openafs:9437184" > /etc/openafs/cacheinfo

Configured OpenAFS manager:
# sed < ${f} -e s/^AFSD_ARGS=/#AFSD_ARGS=/ -e s/^$/AFSD_ARGS="-dynroot -fakestat -afsdb -stat 2000 -dcache 800 -daemons 3 -volumes 70 -nosettime"/ > ${f}+
# mv -f ${f} /tmp/ && mv ${f}+ ${f}
# lsmod | grep libafs
libafs                888832  2
# systemctl restart openafs-client.service

Checked status and all was OK.
# cat cacheinfo
/afs:/var/cache/openafs:9437184

# tail CellServDB
155.198.63.148                  #icafs2.cc.ic.ac.uk
155.198.63.149                  #icafs1.cc.ic.ac.uk
>hep.man.ac.uk          #Manchester HEP
194.36.2.3                      #afs1.hep.man.ac.uk
194.36.2.4                      #afs2.hep.man.ac.uk
194.36.2.5                      #afs3.hep.man.ac.uk
>tlabs.ac.za            #iThemba LABS Cell
196.24.232.1                    #afs01.tlabs.ac.za
196.24.232.2                    #afs02.tlabs.ac.za
196.24.232.3                    #afs03.tlabs.ac.za

This is about as far as I can go with this update.  The system is up and ready for use, but that is another chapter.

Giving this a tentative OK.
Len Lawrence 2018-01-05 18:23:40 CET

Whiteboard: (none) => MGA6-64-OK

Comment 7 Dave Hodgins 2018-01-06 05:32:26 CET
Thanks Len, Validating the update.

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 8 Mageia Robot 2018-01-06 11:15:09 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0065.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.