The following are overviews of security advisories issued by the OpenAFS Project regarding known security problems in OpenAFS and its components. Each overview includes a summary of the problem, a link to the full text of the advisory. When they are available, patches are also included. At the end of this document is a table of all OpenAFS security advisories.
If you want to report security problems or issues with OpenAFS, you may send mail to the OpenAFS security officer at security@openafs.org. When sending sensitive information, we ask that you encrypt it with PGP.
Issued: | 12-Nov-2024 | ||
---|---|---|---|
Last Update: | 12-Nov-2024 | ||
Severity: | High | ||
Affected: | OpenAFS versions 1.0 through 1.6.24, 1.8.0 through 1.8.12.2, 1.9.0 through 1.9.1 . | ||
Patch: | https://www.openafs.org/security/openafs-sa-2024-003-stable16.patch | https://www.openafs.org/security/openafs-sa-2024-003-stable18.patch | https://www.openafs.org/security/openafs-sa-2024-003-master.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2024-003.txt |
A malicious server can crash the OpenAFS cache manager and other client utilities, and possibly execute arbitrary code.
Issued: | 12-Nov-2024 | ||
---|---|---|---|
Last Update: | 12-Nov-2024 | ||
Severity: | High | ||
Affected: | OpenAFS versions 1.0 through 1.6.24, 1.8.0 through 1.8.12.2, 1.9.0 through 1.9.1 . | ||
Patch: | https://www.openafs.org/security/openafs-sa-2024-002-stable16.patch | https://www.openafs.org/security/openafs-sa-2024-002-stable18.patch | https://www.openafs.org/security/openafs-sa-2024-002-master.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2024-002.txt |
An authenticated user can provide a malformed ACL to the fileserver's StoreACL RPC, causing the fileserver to crash, possibly expose uninitialized memory, and possibly store garbage data in the audit log.
Malformed ACLs provided in responses to client FetchACL RPCs can cause client processes to crash and possibly expose uninitialized memory into other ACLs stored on the server.
Issued: | 12-Nov-2024 | ||
---|---|---|---|
Last Update: | 12-Nov-2024 | ||
Severity: | High | ||
Affected: | OpenAFS client versions 1.0 through 1.6.24, 1.8.0 through 1.8.12.2, 1.9.0 through 1.9.1 . | ||
Patch: | https://www.openafs.org/security/openafs-sa-2024-001-stable16.patch | https://www.openafs.org/security/openafs-sa-2024-001-stable18.patch | https://www.openafs.org/security/openafs-sa-2024-001-master.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2024-001.txt |
A local user can bypass the OpenAFS PAG (Process Authentication Group) throttling mechanism in Unix clients, allowing the user to create a PAG using an existing id number, effectively joining the PAG and letting the user steal the credentials in that PAG.
Issued: | 22-Oct-2019 | ||
---|---|---|---|
Last Update: | 22-Oct-2019 | ||
Severity: | Medium | ||
Affected: | OpenAFS server versions 1.0 through 1.6.23, 1.8.0 through 1.8.4 . | ||
Patch: | https://www.openafs.org/security/openafs-sa-2019-003-stable16.patch | https://www.openafs.org/security/openafs-sa-2019-003-stable18.patch | https://www.openafs.org/security/openafs-sa-2019-003-master.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2019-003.txt |
The ubik debugging RPCs prioritize being fast and non-disruptive to database operations over strict correctness, and do not adhere to the usual locking protocol for data access. A data race could cause a NULL dereference if the second memory load was not optimized out by the compiler
Issued: | 22-Oct-2019 | ||
---|---|---|---|
Last Update: | 22-Oct-2019 | ||
Severity: | Low | ||
Affected: | OpenAFS client versions 1.0 through 1.6.23, 1.8.0 through 1.8.4 ; OpenAFS server versions 1.0 through 1.6.23, 1.8.0 through 1.8.4 . | ||
Patch: | https://www.openafs.org/security/openafs-sa-2019-002-stable16.patch | https://www.openafs.org/security/openafs-sa-2019-002-stable18.patch | https://www.openafs.org/security/openafs-sa-2019-002-master.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2019-002.txt |
Generated RPC handler routines did not initialize output variables of scalar (fixed-length) type, since they did not require dedicated logic to free. Such variables allocated on the stack could remain uninitialized in some cases (including those affected by OPENAFS-SA-2019-001), and the contents of uninitialized memory would be returned to the peer.
Issued: | 22-Oct-2019 | ||
---|---|---|---|
Last Update: | 22-Oct-2019 | ||
Severity: | Low | ||
Affected: | OpenAFS client versions 1.0 through 1.6.23, 1.8.0 through 1.8.4 ; OpenAFS server versions 1.0 through 1.6.23, 1.8.0 through 1.8.4 . | ||
Patch: | https://www.openafs.org/security/openafs-sa-2019-001-stable16.patch | https://www.openafs.org/security/openafs-sa-2019-001-stable18.patch | https://www.openafs.org/security/openafs-sa-2019-001-master.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2019-001.txt |
Generated RPC handler routines ran output variables through XDR encoding even when the call had failed and would shortly be aborted (and for which uninitialized output variables is common); any complete packets assembled in the process would be sent to the peer, leaking the contents of the uninitialized memory in question.
Issued: | 11-Sep-2018 | ||
---|---|---|---|
Last Update: | 11-Sep-2018 | ||
Severity: | Medium | ||
Affected: | OpenAFS server versions 1.0 through 1.6.22.4, 1.8.0 through 1.8.1.1 . | ||
Patch: | https://www.openafs.org/security/openafs-sa-2018-003-stable16.patch | https://www.openafs.org/security/openafs-sa-2018-003-stable18.patch | https://www.openafs.org/security/openafs-sa-2018-003-master.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2018-003.txt |
Several data types used as RPC input variables were implemented as unbounded array types, limited only by the inherent 32-bit length field to 4GB. An unauthenticated attacker could send, or claim to send, large input values and consume server resources waiting for those inputs, denying service to other valid connections.
Issued: | 11-Sep-2018 | ||
---|---|---|---|
Last Update: | 11-Sep-2018 | ||
Severity: | Medium | ||
Affected: | OpenAFS client versions 1.0 through 1.6.22.4, 1.8.0 through 1.8.1.1 ; OpenAFS server versions 1.0 through 1.6.22.4, 1.8.0 through 1.8.1.1 . | ||
Patch: | https://www.openafs.org/security/openafs-sa-2018-002-stable16.patch | https://www.openafs.org/security/openafs-sa-2018-002-stable18.patch | https://www.openafs.org/security/openafs-sa-2018-002-master.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2018-002.txt |
Several RPC server routines did not fully initialize their output variables before returning, leaking memory contents from both the stack and the heap. Because the OpenAFS cache manager functions as an Rx server for the AFSCB service, clients are also susceptible to information leakage.
Issued: | 11-Sep-2018 | ||
---|---|---|---|
Last Update: | 11-Sep-2018 | ||
Severity: | High | ||
Affected: | OpenAFS butc server versions 1.0 through 1.6.22.4, 1.8.0 through 1.8.1.1 . | ||
Patch: | https://www.openafs.org/security/openafs-sa-2018-001-stable16.patch | https://www.openafs.org/security/openafs-sa-2018-001-stable18.patch | https://www.openafs.org/security/openafs-sa-2018-001-master.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2018-001.txt |
The backup tape controller process accepts incoming RPCs but does not require (or allow for) authentication of those RPCs. Handling those RPCs results in operations being performed with administrator credentials, including dumping/restoring volume contents and manipulating the backup database.
Issued: | 05-Dec-2017 | ||
---|---|---|---|
Last Update: | 05-Dec-2017 | ||
Severity: | High | ||
Affected: | OpenAFS client versions 1.0 through 1.6.21.1 . OpenAFS fileserver versions 1.0 through 1.6.21.1 . | ||
Patch: | https://www.openafs.org/security/openafs-sa-2017-001-stable16.patch | https://www.openafs.org/security/openafs-sa-2017-001-stable18.patch | https://www.openafs.org/security/openafs-sa-2017-001-master.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2017-001.txt |
Due to insufficient validation of transport parameters received in unauthenticated ack packets, Rx participants can be coerced into using very small MTU values that become negative when converted into effective MTU values. Subsequent usage as an unsigned packet size produces a very large packet size, that subsequently triggers an assertion failure.
This vulnerability is being tracked as CVE-2017-17432.
Issued: | 30-Nov-2016 | |
---|---|---|
Last Update: | 30-Nov-2016 | |
Severity: | Medium | |
Affected: | OpenAFS client versions 1.0 through 1.6.19 . OpenAFS fileserver versions 1.0 through 1.6.19 . | |
Patch: | https://www.openafs.org/security/openafs-sa-2016-003.patch | https://www.openafs.org/security/openafs-sa-2016-003-master.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2016-003.txt |
Due to insufficient clearing of directory entries and internal buffers, directory information may be leaked over the network, as well as in cache manager cache partitions and fileserver vice partitions. This information may include file and directory names, vnode number and uniqueid, and may include information from other directories or volumes for which the user is not authorized.
Issued: | 16-Mar-2016 | |
---|---|---|
Last Update: | 16-Mar-2016 | |
Severity: | Low | |
Affected: | OpenAFS client versions 1.0 through 1.6.16 . | |
Patch: | https://www.openafs.org/security/openafs-sa-2016-002.patch | https://www.openafs.org/security/openafs-sa-2016-002-master.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2016-002.txt |
Several structures used as RPC arguments contain a mask field that indicates which other fields should be processed by the server. In some cases, fields not not indicated in the mask were transmitted over the network without being written to, exposing the previous contents of that memory. Both kernel stack and userspace stack data can be leaked.
Issued: | 16-Mar-2016 | |
---|---|---|
Last Update: | 16-Mar-2016 | |
Severity: | Medium | |
Affected: | OpenAFS server versions 1.0 through 1.6.16 . | |
Patch: | https://www.openafs.org/security/openafs-sa-2016-001.patch | https://www.openafs.org/security/openafs-sa-2016-001-master.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2016-001.txt |
Access checking for the creation of new entries in the PRDB was performed in multiple steps. For requests coming from foreign users, the creator ID was replaced with the ID of system:administrators after the first round of checks, letting requests from foreign users bypass most other access control checks and create groups as if they were an administrator.
This vulnerability is being tracked as CVE-2016-2860.
Issued: | 28-Oct-2015 | ||
---|---|---|---|
Last Update: | 28-Oct-2015 | ||
Severity: | High | ||
Affected: | OpenAFS client and server versions prior to 1.7.33, 1.6.15, IBM AFS, Arla, and other protocols using Rx implementations derived from Project Andrew | ||
Patch: | https://www.openafs.org/security/OPENAFS-SA-2015-007.master.patch | https://www.openafs.org/security/OPENAFS-SA-2015-007.1.6.patch | https://www.openafs.org/security/OPENAFS-SA-2015-007.1.7.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2015-007.txt |
The packet paylod of Rx ACK packets is not fully initialized, leaking plaintext from packets previously processed.
This security advisory is being tracked by CVE-2015-7762 and CVE-2015-7763.
Issued: | 29-Jul-2015 | ||
---|---|---|---|
Last Update: | 29-Jul-2015 | ||
Severity: | Medium | ||
Affected: | OpenAFS server versions 1.0 through 1.6.12 . | ||
Patch: | https://www.openafs.org/security/openafs-sa-2015-006.patch | https://www.openafs.org/security/openafs-sa-2015-006-master.patch | https://www.openafs.org/security/openafs-sa-2015-006-1.4.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2015-006.txt |
Disable regular expression support in the vlserver handling of ListAttributes RPCs given likely safety issues.
Issued: | 29-Jul-2015 | ||
---|---|---|---|
Last Update: | 29-Jul-2015 | ||
Severity: | Medium | ||
Affected: | OpenAFS Solaris client versions 1.0 through 1.6.12 . | ||
Patch: | https://www.openafs.org/security/openafs-sa-2015-005.patch | https://www.openafs.org/security/openafs-sa-2015-005-master.patch | https://www.openafs.org/security/openafs-sa-2015-005-1.4.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2015-005.txt |
Solaris hosts can overflow the buffer allocated for the user's group list or hang the kernel when handling an error due to too many groups.
This vulnerability is being tracked as CVE-2015-3286.
Issued: | 29-Jul-2015 | ||
---|---|---|---|
Last Update: | 29-Jul-2015 | ||
Severity: | Medium | ||
Affected: | OpenAFS client versions 1.0.3 through 1.6.12 . | ||
Patch: | https://www.openafs.org/security/openafs-sa-2015-004.patch | https://www.openafs.org/security/openafs-sa-2015-004-master.patch | https://www.openafs.org/security/openafs-sa-2015-004-1.4.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2015-004.txt |
Local users can panic a machine by causing an incorrect buffer to be writter to with the OSD fscommand pioctl support This vulnerability is being tracked as CVE-2015-3285.
Issued: | 29-Jul-2015 | ||
---|---|---|---|
Last Update: | 29-Jul-2015 | ||
Severity: | Medium | ||
Affected: | OpenAFS client versions 1.6.0 through 1.6.12 . | ||
Patch: | https://www.openafs.org/security/openafs-sa-2015-003.patch | https://www.openafs.org/security/openafs-sa-2015-003-master.patch | https://www.openafs.org/security/openafs-sa-2015-003-1.4.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2015-003.txt |
Kernel memory could be leaked to a local user in the return of a pioctl command.
This vulnerability is being tracked as CVE-2015-3284.
Issued: | 29-Jul-2015 | ||
---|---|---|---|
Last Update: | 29-Jul-2015 | ||
Severity: | Medium | ||
Affected: | OpenAFS server versions 1.0 through 1.6.12 . | ||
Patch: | https://www.openafs.org/security/openafs-sa-2015-002.patch | https://www.openafs.org/security/openafs-sa-2015-002-master.patch | https://www.openafs.org/security/openafs-sa-2015-002-1.4.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2015-002.txt |
The default use by bos of clear rather than crypt mode can allow spoofing commands, including some which modify server state if restricted mode was not enabled.
This vulnerability is being tracked as CVE-2015-3283.
Issued: | 29-Jul-2015 | ||
---|---|---|---|
Last Update: | 29-Jul-2015 | ||
Severity: | Medium | ||
Affected: | OpenAFS server versions 1.0 through 1.6.12 . | ||
Patch: | https://www.openafs.org/security/openafs-sa-2015-001.patch | https://www.openafs.org/security/openafs-sa-2015-001-master.patch | https://www.openafs.org/security/openafs-sa-2015-001-1.4.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2015-001.txt |
Memory allocated by vos for VLDB entry structures was not cleared prior to use, meaning stack data could be sent over the network, possibly in the clear if crypt mode was not in use.
This vulnerability is being tracked as CVE-2015-3282.
Issued: | 12-Jun-2014 |
---|---|
Last Update: | 12-Jun-2014 |
Severity: | High |
Affected: | OpenAFS fileserver version 1.6.8 . |
Patch: | https://www.openafs.org/security/openafs-sa-2014-002.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2014-002.txt |
The 1.6.8 release of the OpenAFS fileserver and dafileserver processes introduced a security vulnerability in the host package due to the use of uninitialized memory allocations from the process heap.
An attacker with the ability to connect to an OpenAFS fileserver over the network can trigger the use of uninitialized memory and, potentially, execution of arbitrary code with the privileges of the fileserver process.
Issued: | 9-Apr-2014 |
---|---|
Last Update: | 9-Apr-2013 |
Affected: | OpenAFS server versions 1.4.8 through 1.6.6. Also 1.6.8pre1. |
Patch: | https://www.openafs.org/security/openafs-sa-2014-001.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2014-001.txt |
An attacker with the ability to connect to an OpenAFS fileserver can trigger a buffer overflow, crashing the server.
Issued: | 24-Jul-2013 |
---|---|
Last Update: | 24-Jul-2013 |
Affected: | OpenAFS client versions 1.6.1 through 1.6.4 |
Patch: | https://www.openafs.org/security/openafs-sa-2013-004.patch |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2013-004.txt |
An attacker can read data which an administrator expected to remain private.
Issued: | 24-Jul-2013 |
---|---|
Last Update: | 24-Jul-2013 |
Affected: | OpenAFS servers before versions 1.4.15 and 1.6.5 |
Instructions: | How to rekey your cell How to install rxkad k5 support for servers running OpenAFS 1.6 How to install rxkad k5 support for servers running OpenAFS 1.4 |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2013-003.txt |
The small size of the DES key space permits an attacker to brute force a cell's service key and then forge traffic from any user within the cell. The key space search can be performed in under 1 day at a cost of around $100 using publicly available services.
Issued: | 27-Feb-2013 |
---|---|
Last Update: | 27-Feb-2013 |
Affected: | OpenAFS servers before version 1.6.2 |
Patch: | https://www.openafs.org/security/openafs-sa-2013-002.patch https://www.openafs.org/security/openafs-sa-2013-002-1_4_14_1.patch (for 1.4.14.1) |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2013-002.txt |
An attacker can crash an OpenAFS ptserver by sending an IdToName RPC with a large payload. This vulnerability is being tracked as CVE-2013-1795.
Issued: | 27-Feb-2013 |
---|---|
Last Update: | 27-Feb-2013 |
Affected: | OpenAFS servers before version 1.6.2 |
Patch: | https://www.openafs.org/security/openafs-sa-2013-001.patch https://www.openafs.org/security/openafs-sa-2013-001-1_4_14_1.patch (for 1.4.14.1) |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2013-001.txt |
By carefully crafting an ACL entry an attacker may overflow fixed length buffers within the OpenAFS fileserver, crashing the fileserver, and potentially permitting the execution of arbitrary code. To perform the exploit, the attacker must already have permissions to create ACLs on the fileserver in question. This vulnerability is being tracked as CVE-2013-1794.
Issued: | 23-Feb-2011 |
---|---|
Last Update: | 23-Feb-2011 |
Affected: | OpenAFS servers versions 1.2.8 - 1.4.12.1, 1.5.0-1.5.74 for all platforms |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2011-001.txt |
An attacker with control of a client, or the ability to forge RX packets, can crash a server of affected hosts. This vulnerability is being tracked as CVE-2011-0430.
Currently the advisory erroneously states 1.4.14 is vulnerable.
CVE-2011-0431, while correctly describing 1.4.14 as containing the fix for this issue, describes in its summary the release as broken. It is not. We recommend sites upgrade to 1.4.14; However, the impact of the issue is limited to a denial of service attack by a user with the ability to affect a lock of AFS though the client on a host.
Issued: | 6-Apr-2009 |
---|---|
Last Update: | 6-Apr-2009 |
Severity: | Medium |
Affected: | OpenAFS 1.0-1.4.8, OpenAFS 1.5.0-1.5.58 |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2009-002.txt |
AFS may pass an error code obtained from the fileserver directly to the Linux kernel, using a Linux mechanism that merges error codes and pointers into a single value. However, this mechanism is unable to distinguish certain error codes from pointers. When AFS returns a code of this type to the kernel, the kernel treats it as a pointer and attempts to dereference it. This causes a kernel panic, and results in a denial of service attack.
There are no known publicly-available exploits for this vulnerability at this time.
Issued: | 6-Apr-2009 |
---|---|
Last Update: | 6-Apr-2009 |
Severity: | Medium |
Affected: | OpenAFS 1.0-1.4.8, OpenAFS 1.5.0-1.5.58 |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2009-001.txt |
AFS's XDR data marshalling language permits the construction of arrays with a size constrained by the interface definition. The XDR decoding language will accept data from the server up to this maximum size, which in some cases is stored into a buffer allocated by the client. In several locations, the AFS client assumes that the server will never return more data than requested, and so allocates a buffer smaller than this maximum size. Whilst this causes no problems when communicating with valid servers, an attacker can return more data than expected, and overflow the client's buffer.
There are no known publicly-available exploits for this vulnerability at this time.
Issued: | 20-Dec-2007 |
---|---|
Last Update: | 21-Dec-2007 |
Severity: | Medium |
Affected: | OpenAFS 1.3.50-1.4.5, OpenAFS 1.5.0-1.5.27 |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2007-003.txt |
The AFS fileserver tracks client callbacks on files via a series of linked lists internally. When a client acquires a new callback or gives up an old one, these lists must be updated. Beginning in 1.3.50, a bulk disposal mechanism was added. Due to a failure to hold a lock, unsafe access to data could result in a crash. No data compromise is known.
There are no known publicly-available exploits for this vulnerability at this time.
Issued: | 19-Apr-2007 |
---|---|
Last Update: | 19-Apr-2007 |
Severity: | Medium |
Affected: | OpenAFS 1.3.64-1.3.99, OpenAFS 1.4.0-1.4.4, OpenAFS 1.5.0-1.5.18 |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2007-002.txt |
OpenAFS for Windows installs a Network Provider module, afslogon.dll, which is loaded by the Windows Logon service, winlogon.exe. When MIT Kerberos for Windows is installed, afslogon.dll will attempt to perform operations that involve the Kerberos v5 libraries. Successful use of Kerberos v5 requires the ability to establish a krb5_context. Parsing errors in the Kerberos v5 configuration profile, krb5.ini, will prevent the successful creation of a krb5_context. afslogon.dll attempts to free a krb5_context whether or not it was successfully established. This produces a memory access error that in turn forces the Windows Logon Service to terminate unexpectedly and causes Microsoft Windows to halt.
There are no known publicly-available exploits for this vulnerability at this time.
Issued: | 20-Mar-2007 |
---|---|
Last Update: | 20-Mar-2007 |
Severity: | Medium |
Affected: | OpenAFS 1.0-1.4.3, OpenAFS 1.5.0-1.5.16 |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2007-001.txt |
Because AFS cache managers do not use authenticated connections for non-user-authenticated sessions, checks for cache coherency are done over an unprotected connection if they are not being done for an authenticated user. Because of this it is possible to spoof a false status for files in the cache.
The AFS cache manager on platforms which offer privilege based on file modes are vulnerable to such attacks.
There are no known publicly-available exploits for this vulnerability at this time.
Issued: | 18-Apr-2003 |
---|---|
Last Update: | 18-Apr-2003 |
Severity: | Medium |
Affected: | OpenAFS 1.0-1.2.7, OpenAFS 1.3.0-1.3.2 |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2003-002.txt |
Patch: | https://www.openafs.org/security/openafs-sa-2003-002.patch (PGP signature) |
There is a bug in the Rx RPC protocol, used by AFS, which can be exploited by an attacker to hijack arbitrary Rx connections. This allows the attacker to mount a denial of service attack by breaking arbitrary Rx connections. Additionally, unless encryption is used, such as rxkad mode crypt ("fs setcrypt on") and the user accessing files is authenticated (has valid tokens), the attacker can observe and modify the data being transferred.
The AFS cache manager and other AFS administrative clients (such as pts, fs, vos, etc) are vulnerable to these attacks. Vulnerable AFS servers allow connections from AFS cache managers to be hijacked, but not connections from the other AFS administrative clients (such as pts, fs, vos, etc).
There are no known publicly-available exploits for this vulnerability at this time.
Issued: | 25-Mar-2003 |
---|---|
Last Update: | 25-Mar-2003 |
Severity: | High |
Affected: | OpenAFS 1.0-1.2.8, OpenAFS 1.3.0-1.3.2 |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2003-001.txt |
Patch: | https://www.openafs.org/security/kaserver-disable-krb4-crossrealm-20030317.delta (PGP signature) |
A cryptographic weakness in version 4 of the Kerberos protocol allows an attacker to use a chosen-plaintext attack to impersonate any principal in a realm. OpenAFS kaserver implements version 4 of the Kerberos protocol, and therefore is vulnerable. An attacker that knows a shared cross-realm key between any remote realm and the local realm can impersonate any principal in the local realm to AFS database servers and file servers in the local cell, and other services in the local realm. An attacker that can create arbitrary principal names in a realm can also impersonate any principal in that realm.
If your realm has no shared keys, and does not allow users to create arbitrary principal names, you are not exposed to this vulnerability.
There are no known publicly-available exploits for this vulnerability at this time.
Issued: | 03-Aug-2002 |
---|---|
Last Update: | 03-Aug-2002 |
Severity: | High |
Affected: | OpenAFS 1.0-1.2.5, OpenAFS 1.3.0-1.3.2 |
Full Text: | https://www.openafs.org/security/OPENAFS-SA-2002-001.txt |
Patch: | https://www.openafs.org/security/xdr-updates-20020731.delta (PGP signature) |
There is an integer overflow bug in the SUNRPC-derived RPC library used by OpenAFS that could be exploited to crash certain OpenAFS servers (volserver, vlserver, ptserver, buserver) or to obtain unauthorized root access to a host running one of these processes.
In addition, it is possible for a rogue server to attack certain administrative clients (vos, pts, backup, butc, rxstat), but only if certain RPC requests are made to the rogue server.
The OpenAFS fileserver and cache manager (client) are not vulnerable to these attacks. No exploits are presently known to be available for this vulnerability.
ID | Issued | Updated | Severity | Versions Affected | topic |
---|---|---|---|---|---|
2002-001 | 03-Aug-2002 | 03-Aug-2002 | High | 1.0-1.2.5, 1.3.0-1.3.2 | xdr_array integer overflow |
2003-001 | 25-Mar-2003 | 25-Mar-2003 | High | 1.0-1.2.8, 1.3.0-1.3.2 | Cryptographic weakness in Kerberos v4 |
2003-002 | 18-Apr-2003 | 18-Apr-2003 | Medium | 1.0-1.2.7, 1.3.0-1.3.2 | Rx connection hijacking vulnerability |
2007-001 | 20-Mar-2007 | 20-Mar-2007 | Medium | 1.0-1.4.3, 1.5.0-1.5.16 | setuid (privilege escalation) in OpenAFS Unix based clients |
2007-002 | 19-Apr-2007 | 19-Apr-2007 | Medium | 1.3.64-1.4.4, 1.5.0-1.5.18 | OpenAFS for Windows clients denial of service vulnerability |
2007-003 | 20-Dec-2007 | 21-Dec-2007 | Medium | 1.3.50-1.4.5, 1.5.0-1.5.27 | denial of service in OpenAFS fileserver |
2009-001 | 06-Apr-2009 | 06-Apr-2009 | Medium | 1.0-1.4.8, 1.5.0-1.5.58 | Network based buffer overflow attack against Unix cache manager |
2009-002 | 06-Apr-2009 | 06-Apr-2009 | Medium | 1.0-1.4.8, 1.5.0-1.5.58 | Denial of service attack against Linux cache manager |
2011-001 | 23-Feb-2011 | 23-Feb-2011 | Medium | 1.2.8-1.4.12.1, 1.5.0-1.5.74 | Denial of service attack against Rx server processes |
2013-001 | 27-Feb-2013 | 27-Feb-2013 | High | 1.0-1.6.1 | Buffer overflows in OpenAFS fileserver |
2013-002 | 27-Feb-2013 | 27-Feb-2013 | High | 1.0-1.6.1 | Buffer overflow in OpenAFS ptserver |
2013-003 | 24-Jul-2013 | 24-Jul-2013 | High | 1.0-1.4.14,1.5.0-1.6.4 | Brute force DES attack permits compromise of AFS cell |
2013-004 | 24-Jul-2013 | 24-Jul-2013 | High | 1.6.1-1.6.4 | vos -encrypt doesn't encrypt connection data |
2014-001 | 9-Apr-2014 | 9-Apr-2014 | High | 1.4.8-1.6.6 | Buffer overflow in OpenAFS fileserver |
2014-002 | 12-Jun-2014 | 12-Jun-2014 | High | 1.6.8 | Use of uninitialized memory in OpenAFS fileserver |
2015-001 | 29-Jul-2015 | 29-Jul-2015 | Medium | 1.0-1.6.12 | vos leaks stack data onto the wire in the clear when creating vldb entries |
2015-002 | 29-Jul-2015 | 29-Jul-2015 | Medium | 1.0-1.6.12 | bos commands can be spoofed, including some which alter server state |
2015-003 | 29-Jul-2015 | 29-Jul-2015 | Medium | 1.0-1.6.12 | pioctls leak kernel memory contents |
2015-004 | 29-Jul-2015 | 29-Jul-2015 | Medium | 1.0.3-1.6.12 | kernel pioctl support for OSD command passing can trigger a panic |
2015-005 | 29-Jul-2015 | 29-Jul-2015 | Medium | 1.0-1.6.12 | Solaris grouplist modifications for PAGs can panic or overwrite memory |
2015-006 | 29-Jul-2015 | 29-Jul-2015 | Medium | 1.0-1.6.12 | Buffer overflow in OpenAFS vlserver |
2015-007 | 28-Oct-2015 | 28-Oct-2015 | High | 1.0-1.6.14, 1.7.0-1.7.33 | Rx ACK packets leak plaintext of previous packets |
2016-001 | 16-Mar-2016 | 16-Mar-2016 | Medium | 1.0-1.6.16 | ptserver allows foreign users to create arbitrary groups |
2016-002 | 16-Mar-2016 | 16-Mar-2016 | Low | 1.0-1.6.16 | information leakage from client memory |
2016-003 | 30-Nov-2016 | 30-Nov-2016 | Medium | 1.0-1.6.19 | directory information leaks |
2017-001 | 05-Dec-2017 | 05-Dec-2017 | High | 1.0-1.6.21.1 | remotely triggerable assertion failure in Rx |
2018-001 | 11-Sep-2018 | 11-Sep-2018 | High | 1.0-1.6.22.4,1.8.0-1.8.1.1 | volume-level-data-replacement via unauthenticated butc connections |
2018-002 | 11-Sep-2018 | 11-Sep-2018 | Medium | 1.0-1.6.22.4,1.8.0-1.8.1.1 | information leakage from uninitialized RPC output variables |
2018-003 | 11-Sep-2018 | 11-Sep-2018 | Medium | 1.0-1.6.22.4,1.8.0-1.8.1.1 | denial of service due to excess resource consumption |
2019-001 | 22-Oct-2019 | 22-Oct-2019 | Low | 1.0-1.6.23,1.8.0-1.8.4 | information leakage in failed RPC output |
2019-002 | 22-Oct-2019 | 22-Oct-2019 | Low | 1.0-1.6.23,1.8.0-1.8.4 | information leakage from uninitialized scalars |
2019-003 | 22-Oct-2019 | 22-Oct-2019 | Medium | 1.0-1.6.23,1.8.0-1.8.4 | crash in database servers |
2024-001 | 12-Nov-2024 | 12-Nov-2024 | High | 1.0-1.6.24,1.8.0-1.8.12.2,1.9.0-1.9.1 | theft of credentials in Unix client PAGs |
2024-002 | 12-Nov-2024 | 12-Nov-2024 | High | 1.0-1.6.24,1.8.0-1.8.12.2,1.9.0-1.9.1 | crash and possible information leak |
2024-003 | 12-Nov-2024 | 12-Nov-2024 | High | 1.0-1.6.24,1.8.0-1.8.12.2,1.9.0-1.9.1 | buffer overflow in XDR responses |