OpenAFS Security Advisory 2013-004 Topic: vos -encrypt doesn't encrypt connection data CVE-2013-4135 Issued: Last Updated: Affected: All OpenAFS clients The -encrypt option to the 'vos' volume management command should cause it to encrypt all data between client and server. However, in versions of OpenAFS later than 1.6.0, it has no effect, and data is transmitted with integrity protection only. In all versions of OpenAFS, vos -encrypt has no effect when combined with the -localauth option. IMPACT ====== Information which should be encrypted on the wire is only integrity protected. An attacker may read RPC's initiated by the 'vos' command which the administrator expected to remain private. AFFECTED SOFTWARE ================= All current releases of OpenAFS. FIXES ===== The OpenAFS project recommends that administrators upgrade to OpenAFS 1.6.5 or later. ACKNOWLEDGMENTS =============== This issue was identified independently by Chaskiel M Grundman and Michael Meffie. Patches were provided by Michael Meffie.