OpenAFS Security Advisory 2007-003 Topic: denial of service in OpenAFS fileserver Issued: 20-Dev-2007 Last Update: 21-Dec-2007 Affected: OpenAFS 1.3.50 - 1.4.5, OpenAFS 1.5.0 - 1.5.27 A user with network access can attack a fileserver via a race condition and cause it to crash. SUMMARY ======= The AFS fileserver tracks client callbacks on files via a series of linked lists internally. When a client acquires a new callback or gives up an old one, these lists must be updated. In OpenAFS 1.3.50, a new mechanism to allow for more efficient bulk disposal of unwanted callbacks was added. Due to a necessary lock not being held internally, this results in unsafe access to the linked lists containing the callback information. By simultaneously acquiring and giving back callbacks on a file or files it is possible to crash a fileserver, thus denying service for the duration of the recovery period. No privilege escalation, data integrity or access issue is known. There are no known publicly-available exploits for this vulnerability at this time although in the course of normal operation this issue can be triggered. IMPACT ====== By using public interfaces to the fileserver, an attacker can construct cases which trigger the race condition and thus crash the fileserver. Likewise, with the increased use of the RPC handler for giving up callbacks in bulk in recent Windows clients, crashes will become more common. AFFECTED SOFTWARE ================= All releases of OpenAFS 1.3.x subsequent to 1.3.50. All releases of OpenAFS 1.4.x, up to and including OpenAFS 1.4.5. All releases of OpenAFS 1.5.x, up to and including OpenAFS 1.5.27. FIXES ===== The OpenAFS project recommends that administrators with systems which could be affected by this race condition upgrade to OpenAFS version 1.4.6 or newer, or as appropriate for people testing features in the OpenAFS 1.5 series, OpenAFS version 1.5.28 or newer. Only fileservers need to be upgraded. The latest stable OpenAFS release is always available from http://www.openafs.org/release/latest.html. This announcement and code patches related to it may be found on the OpenAFS security advisory page at: http://www.openafs.org/security/ The main OpenAFS web page is at: http://www.openafs.org/ ACKNOWLEDGEMENTS ================ Thanks to Russ Allbery, Jeffrey Altman, Dan Hyde, and Thomas Mueller for their work in tracking this issue. DETAIL ====== In pthread-aware fileservers, the "host_glock" pthread lock, accessed via the H_LOCK and H_UNLOCK macros, is used to provide safe access to host structures. This lock is required to be held when updating information pertaining to a host. The RPC handler for the GiveUpAllCallBacks RPC did not hold this lock while performing its work.