ESB-2018.2834 - [Win][UNIX/Linux][Debian] openafs: Multiple vulnerabilities 2018-09-24

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2834
              [SECURITY] [DLA 1513-1] openafs security update
                             24 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openafs
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
                   Modify Arbitrary Files -- Remote/Unauthenticated
                   Denial of Service      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-16949 CVE-2018-16948 CVE-2018-16947

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/09/msg00024.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running openafs check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : openafs
Version        : 1.6.9-2+deb8u8
CVE ID         : CVE-2018-16947 CVE-2018-16948 CVE-2018-16949
Debian Bug     : 908616

Several security vulnerabilities were discovered in OpenAFS, a
distributed file system.

CVE-2018-16947

    The backup tape controller process accepts incoming RPCs but does
    not require (or allow for) authentication of those RPCs. Handling
    those RPCs results in operations being performed with administrator
    credentials, including dumping/restoring volume contents and
    manipulating the backup database.

CVE-2018-16948

    Several RPC server routines did not fully initialize their output
    variables before returning, leaking memory contents from both the
    stack and the heap. Because the OpenAFS cache manager functions as
    an Rx server for the AFSCB service, clients are also susceptible to
    information leakage.

CVE-2018-16949

    Several data types used as RPC input variables were implemented as
    unbounded array types, limited only by the inherent 32-bit length
    field to 4GB. An unauthenticated attacker could send, or claim to
    send, large input values and consume server resources waiting for
    those inputs, denying service to other valid connections.


For Debian 8 "Jessie", these problems have been fixed in version
1.6.9-2+deb8u8.

We recommend that you upgrade your openafs packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlulL3JfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSFiQ/+N5zSKU33vo/yZjWbjRWnciclAiybLLkG4eH7ww9j6jpXn4HLAd2wP7pA
arKZid6/fjanAXi7qm/juZchCQ5YFTZQYbvykQl+y6RW5o7CUXzZ0nWVum+iwY6C
aF08w6ENFcEzMTRps5mYzpaAKQ42uCKZtvNCP7n4ef/DEPAgyhm9RZTI/4paGnXX
CcrLsQV3uRtUSMsjR3qRs1UOr2GqAce+0xN5AnGq4+Jf77a4OB7zJ67/hMGh5LoI
6Fv6QEM4M4ulH+3TvDe0EVYrWLgjZXr8ecYK4K7p23giDYDEOIIb1H6bA7ULwFph
v2rg6azMCG6fO0FAN63d4ZAPkjUS3qQrnqucF8DRTCMf5C4rJ6g3jXYGt1l3GNGQ
zMu0Dj2rnCMPpoEwJiVmbbgr2xbtiGa1VIr0y4Jlm2/6kwgCi9q7pkdp3oLhNdyQ
0QlX/GxivBfRwUgrAWx4VhNPOSYKi3gTk+TKxCr7lFxhVeAd/gq7Kygc8L36+Fpt
aSbGYq+x6foFsVkLNRjoW8VSPSPaINQs8I1czMvJbuQz5xgDEGxSFXZCsiyrxMkT
Soy7uhE43o528oKLL8h9fcKphA95Dh/VIfmIobIRXmlWcbCrfRBUQhfvjsPppcCi
IasV3LbehwoHqzg8v9XTzgmNOBMJoI9EkrO+sNFDq8+x9PqUPaw=
=Qwif
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW6ghjWaOgq3Tt24GAQh3Aw/+PuFURk0096HRwboTpI5K6u+gTRCwGMZZ
qMY1ZnEqByVwRSKrL0UzLM75k44+Nt+imuE+xg27dkaFPfqYsXKmLxRNoTnFs0ka
lOukqy2OW4yVVWTQ5utjA/McVWs5bwUQ95gmtcJwRShQCRRk6d1Oqlmsg9eumL+F
XzXPCARPisAev5/8z1sjW05Jdhy/fSzepnxLsd475A6oDY3WcPSTG47YkcjJ17pS
cofwR68suRx626ePmHx/gXAONqvw4glINit4OM0E+qa84EpGIVonNwaV7WmlM73G
DjOCH9gCxHRNv7GAtfUWkOM4Wkwktj1kVKwGIMy13EEg1uj7XgqYWr2Y5juDG9Fx
cSacjJGWM7X3BAmMy0VNOgcaoNBtbpOQOZ0OEX9/GlESc2mqzjZqoPipNNkrOnY1
cB8WqdWrQreAzy4fEBxgbCU6I00riy9qZQ+FewP4zBdiFLtZ/3lqAgkdDJo/P5C3
NGOT7gBZEPto4CjpfXS1NFYUBwXR2CuYCPBjPXOTodsSurSwIgt8U4gSEwLKlWbP
wBll0pQJhQDcc9xIE68/GP5Gt8NQTM+AvbU0ftZfjcQfv8r/EVd7Rm4vCHsrc3UE
5Tu860dZPTYy87lW2518HyJ+KK9ET8u2gHkLRkQdMJu5ubrZhx4oKG5nCzzZvcfU
RPV1flIplqg=
=1Nxe
-----END PGP SIGNATURE-----

« Back to bulletins