-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenAFS Security Advisory 2007-001 Topic: setuid (privilege escalation) in OpenAFS Unix based clients Issued: 20-Mar-2007 Last Update: 21-Mar-2007 Affected: OpenAFS 1.0 - 1.4.3, OpenAFS 1.5.0 - 1.5.16 A user with network access and knowledge of client cache contents can promote a file to a setuid mode and any owner including root. SUMMARY ======= Because AFS cache managers do not use authenticated connections for non-user-authenticated sessions, checks for cache coherency are done over an unprotected connection if they are not being done for an authenticated user. Because of this it is possible to spoof a false status for files in the cache. The AFS cache manager on platforms which offer privilege based on file modes are vulnerable to such attacks. As such we recommend disabling setuid for all cells. Beginning in OpenAFS 1.4.4 and 1.5.17 this is the default. You can opt for the unsafe behavior as before, however, we cannot recommend this step unless all local users have local root anyway. There are no known publicly-available exploits for this vulnerability at this time. IMPACT ====== An attacker with knowledge of a file in the client can spoof a FetchStatus reply with a setuid mode and root owner after flushing the cache locally to invalidate the file status. If the executable file is subsequently run and setuid status for the cell is not disabled, privilege escalation will take place. Variants of this attack may be possible without local client access if the attacker knows of specific files being run from AFS on the client system. AFFECTED SOFTWARE ================= All releases of OpenAFS 1.0.x, 1.1.x, 1.2.x, and 1.3.x. All releases of OpenAFS 1.4.x, up to and including OpenAFS 1.4.3. All releases of OpenAFS 1.5.x, up to and including OpenAFS 1.5.16. FIXES ===== The OpenAFS project recommends that users with systems which could be compromised by privilege escalation upgrade to OpenAFS version 1.4.4 or newer. Only clients need to be upgraded. Note that this vulnerability does not apply to Windows systems. The latest stable OpenAFS release is always available from http://www.openafs.org/release/latest.html. For those who are unable to upgrade, setuid status can always be disabled by running, as the super user on any client: fs setcell -cell (local cell) -nosuid This announcement and code patches related to it may be found on the OpenAFS security advisory page at: http://www.openafs.org/security/ The main OpenAFS web page is at: http://www.openafs.org/ ACKNOWLEDGEMENTS ================ Thanks to Benjamin Bennett from the Pittsburgh Supercomputing Center for reporting this issue. DETAIL ====== Client systems are not required to have a Kerberos key cached, and those which do would likely not have an AFS identity precreated for them. Connections other than those on behalf of a user are thus not as general practice authenticated, although it is theoretically possible to do so. Because the connection is not authenticated it is possible to spoof network traffic from the server without it being detected. Trusting unauthentic server answers to allow assignment of proper privilege level can allow privilege escalation. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iQEVAwUBRgApzKgrZQAZNTvhAQIBgAgAoAcDPuNxddVFv8TQv8ydMoUozl3ueAea HejycfxPp23nNmWpPnpT2Z66bhRpuqVzUjIVklkp5QOPcu6fK/XbF4RVDIEFybNg /MpyHzjbK7KpWeDh7o1q6n9EG7gpZBxS8GQiuMnCKtynXXiRzNpPKPjiTZvJ4DO4 kIlCxfNWCWmEhlF55j9stqWyQpu2kKS51+H2z32cfEKrCgiOMWhvkEYaLdL1QsEi dTcIqd81zUDNgsUK9gXVGPKBjyZhfm1LoV2TTunCwcqN2GdATloUp53b/wLCHDC4 HhyMWE3M5zshJQM6Zo+2jboY7j3kCri0IHFX7TocvmcpjuQqanQAdA== =0S/k -----END PGP SIGNATURE-----