-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenAFS Security Advisory 2009-001 CVE-2009-1251 Topic: Network based buffer overflow attack against Unix cache manager Issued: 06-Apr-2009 Last Update: 06-Apr-2009 Affected: OpenAFS Unix clients (excluding Mac OS X 10.4 & 10.5) running versions 1.0 -> 1.4.8 and 1.5.0 -> 1.5.58 An attacker with control of a fileserver, or the ability to forge RX packets, can crash the cache manager, and hence the kernel, of any Unix AFS client. It may be possible for an attacker to cause the kernel to execute arbitrary code. SUMMARY ======= AFS's XDR data marshalling language permits the construction of arrays with a size constrained by the interface definition. The XDR decoding language will accept data from the server up to this maximum size, which in some cases is stored into a buffer allocated by the client. In several locations, the AFS client assumes that the server will never return more data than requested, and so allocates a buffer smaller than this maximum size. Whilst this causes no problems when communicating with valid servers, an attacker can return more data than expected, and overflow the client's buffer. IMPACT ====== By forging responses from an existing fileserver, or by getting a user to visit a fileserver under their control, an attacker may overflow the heap buffer of a client machine. This buffer resides in kernel memory. A remote user can use this overflow to crash the client under attack, and may be able to execute arbitrary code within a client's kernel. At the time of writing, no publicly available exploits are known. AFFECTED SOFTWARE ================= All releases of OpenAFS up to (and including) 1.4.8 All releases of OpenAFS 1.5.0 to 1.5.58 Only the Unix client, excluding Mac OS 10.3 and 10.4, is affected. FIXES ===== The OpenAFS project recommends that administrators with Unix clients upgrade to OpenAFS version 1.4.9 or newer, or as appropriate for people testing features in the OpenAFS 1.5 series, OpenAFS version 1.5.59 or newer. Only Unix clients need to be upgraded to address the issue in this advisory. For those sites unable, or unwilling, to upgrade a patch which resolves this issue is available as STABLE14-avoid-buffer-overflow-on-rx-fixed-size-array-return-20090402 in the OpenAFS delta system, or directly from http://www.openafs.org/security/openafs-sa-2009-001.patch The corresponding PGP signature is available from http://www.openafs.org/security/openafs-sa-2009-001.sig Note that this patch is against 1.4.8, although it may apply to earlier releases, and to other branches. The latest stable OpenAFS release is always available from http://www.openafs.org/release/latest.html This announcement and code patches related to it may be found on the OpenAFS security advisory page at: http://www.openafs.org/security/ The main OpenAFS web page is at: http://www.openafs.org/ ACKNOWLEDGEMENTS ================ This issue was identified by Simon Wilkinson, with assistance from Derrick Brashear and Jeffrey Altman. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAknagIYACgkQfL7q67hBYxXLyQCfRBM5bHjuk0aBj98THK4cDigv O3EAn2/h5d3YZFRVJBIlR9NYTWvF3P6r =MVhw -----END PGP SIGNATURE-----