Bug 23663 - openafs new security issues CVE-2018-1694[7-9]
Summary: openafs new security issues CVE-2018-1694[7-9]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-10-10 00:17 CEST by David Walser
Modified: 2019-01-08 22:51 CET (History)
7 users (show)

See Also:
Source RPM: openafs-1.8.0-3.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-10-10 00:17:27 CEST
Upstream has issued advisories on September 11:
https://openafs.org/pages/security/OPENAFS-SA-2018-001.txt
https://openafs.org/pages/security/OPENAFS-SA-2018-002.txt
https://openafs.org/pages/security/OPENAFS-SA-2018-003.txt

The issues are fixed upstream in 1.6.23 and 1.8.2:
http://openafs.org/dl/openafs/1.6.23/RELNOTES-1.6.23
http://openafs.org/dl/openafs/1.8.2/RELNOTES-1.8.2

Debian has issued an advisory for this on September 23:
https://www.debian.org/security/2018/dsa-4302

Mageia 6 is also affected.
David Walser 2018-10-10 00:17:36 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-10-10 06:24:03 CEST

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers.

CC: (none) => geiger.david68210, marja11, smelror, tmb
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2019-01-01 01:13:20 CET
Fixed in openafs-1.8.2-1.mga7 in Cauldron.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 3 David Walser 2019-01-01 20:33:14 CET
Advisory:
========================

Updated openafs packages fix security vulnerabilities:

Jeffrey Altman reported that the backup tape controller (butc) process does
accept incoming RPCs but does not require (or allow for) authentication of
those RPCs, allowing an unauthenticated attacker to perform volume operations
with administrator credentials (CVE-2018-16947).

Mark Vitale reported that several RPC server routines do not fully initialize
output variables, leaking memory contents (from both the stack and the heap)
to the remote caller for otherwise-successful RPCs (CVE-2018-16948).

Mark Vitale reported that an unauthenticated attacker can consume large
amounts of server memory and network bandwidth via specially crafted requests,
resulting in denial of service to legitimate clients (CVE-2018-16949).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16947
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16948
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16949
https://openafs.org/pages/security/OPENAFS-SA-2018-001.txt
https://openafs.org/pages/security/OPENAFS-SA-2018-002.txt
https://openafs.org/pages/security/OPENAFS-SA-2018-003.txt
http://openafs.org/dl/openafs/1.6.23/RELNOTES-1.6.23
https://www.debian.org/security/2018/dsa-4302
========================

Updated packages in core/updates_testing:
========================
openafs-1.6.23-1.mga6
openafs-client-1.6.23-1.mga6
openafs-server-1.6.23-1.mga6
libopenafs1-1.6.23-1.mga6
libopenafs-devel-1.6.23-1.mga6
libopenafs-static-devel-1.6.23-1.mga6
dkms-libafs-1.6.23-1.mga6
openafs-doc-1.6.23-1.mga6

from openafs-1.6.23-1.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 4 Herman Viaene 2019-01-07 14:49:54 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref bug 22209 fot tests
At CLI:
# afsio help
afsio: Commands are:
append          append to a file in AFS
apropos         search by help text
fidappend       append to a file in AFS
fidlock         lock by FID a file from AFS
fidread         read on a non AFS-client a file from AFS
fidunlock       unlock by FID a file from AFS
etc ....
# cmdebug -help
Usage: cmdebug -servers <server machine> [-port <IP port>] [-long] [-refcounts] [-callbacks] [-ctime] [-addrs] [-cache] [-cellservdb] [-help]
Where: -long        print all info
       -refcounts   print only cache entries with positive reference counts
       -callbacks   print only cache entries with callbacks
       -ctime       print human readable expiration time
       -addrs       print only host interfaces
       -cache       print only cache configuration
       -cellservdb  print only cellservdb info
# systemctl -l start openafs-server
# systemctl -l status openafs-server
● openafs-server.service - OpenAFS Server Service
   Loaded: loaded (/usr/lib/systemd/system/openafs-server.service; enabled; vendor preset: enab
   Active: active (running) since ma 2019-01-07 14:29:57 CET; 22s ago
 Main PID: 17746 (bosserver)
   CGroup: /system.slice/openafs-server.service
           └─17746 /usr/sbin/bosserver -nofork
opened 7100/udp as indicated in bug 22209, and then
# systemctl start openafs-client
# systemctl -l status openafs-client
● openafs-client.service - OpenAFS Client Service
   Loaded: loaded (/usr/lib/systemd/system/openafs-client.service; enabled; vendor preset: enab
   Active: active (running) since ma 2019-01-07 14:32:42 CET; 22s ago
  Process: 18723 ExecStart=/sbin/afsd $AFSD_ARGS (code=exited, status=0/SUCCESS)
  Process: 18719 ExecStartPre=/sbin/modprobe libafs (code=exited, status=0/SUCCESS)
  Process: 18716 ExecStartPre=/bin/chmod 0644 /etc/openafs/CellServDB (code=exited, status=0/SU
  Process: 18713 ExecStartPre=/bin/sed -n w/etc/openafs/CellServDB /etc/openafs/CellServDB.loca
 Main PID: 18729 (afsd)
   CGroup: /system.slice/openafs-client.service
           └─18729 /sbin/afsd -dynroot -fakestat -afsdb

jan 07 14:32:40 mach6.hviaene.thuis systemd[1]: Starting OpenAFS Client Service...
jan 07 14:32:41 mach6.hviaene.thuis afsd[18723]: afsd: All AFS daemons started.
jan 07 14:32:41 mach6.hviaene.thuis afsd[18723]: afsd: All AFS daemons started.
jan 07 14:32:42 mach6.hviaene.thuis systemd[1]: Started OpenAFS Client Service.
# ls /afs
acm-csuf.org/                 hep.man.ac.uk/                 nucleares.unam.mx/
acm.jhu.edu/                  hep.sc.edu/                    numenor.mit.edu/
and a lot more .....
# cd /etc/openafs
# ll
totaal 96
-rw-r--r-- 1 root root    10 jan  7 14:29 bosserver.rxbind
-rw-r--r-- 1 root root    31 jan  1 19:23 cacheinfo
-rw-r--r-- 1 root root 37197 jan  7 14:32 CellServDB
-rw-r--r-- 1 root root 37197 jan  1 19:23 CellServDB.dist
-rw-r--r-- 1 root root     0 jan  7 14:26 CellServDB.local
drwxr-xr-x 2 root root  4096 jan  7 14:29 server/
-rw-r--r-- 1 root root    12 jan  1 19:23 ThisCell

# wget http://dl.central.org/dl/cellservdb/CellServDB
--2019-01-07 14:36:08--  http://dl.central.org/dl/cellservdb/CellServDB
Herleiden van dl.central.org... 128.2.13.212
Verbinding maken met dl.central.org|128.2.13.212|:80... verbonden.
HTTP-verzoek is verzonden; wachten op antwoord... 200 OK
Lengte: 36955 (36K)
Wordt opgeslagen als: ‘CellServDB.1’

CellServDB.1            100%[==============================>]  36,09K  --.-KB/s    in 0,1s    

2019-01-07 14:36:08 (329 KB/s) - '‘CellServDB.1’' opgeslagen [36955/36955]

# echo grand.central.org > /etc/openafs/ThisCell
[root@mach6 openafs]# df /var/cache/openafs
Bestandssysteem Grootte Gebruikt Besch Geb% Aangekoppeld op
/dev/sda1           20G      18G  287M  99% /
[root@mach6 openafs]# df -h | grep -i afs
AFS                               2,0T        0  2,0T   0% /afs
[root@mach6 openafs]# df -h | grep sda16
[root@mach6 openafs]# df -h | grep sda1
/dev/sda1                          20G      18G  287M  99% /

Did not go any further as the file system is really very full, but apparently iy works.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 5 Lewis Smith 2019-01-07 18:49:09 CET
Thank you Herman. Advisoried & validating.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2019-01-08 22:51:38 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0021.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.