Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 459
Alerts This Week
Warning Icon 1 459

Scientific Linux 5 and 6 Critical Advisory: OpenAFS Threats

Scientific Large Esm H446
Critical: openafs on SL5.x, SL6.x i386/x86_64
Date: Wed, 24 Jul 2013 11:43:10 -0500
Reply-To: Pat Riehecky 
Sender: Security Errata for Scientific Linux
 
From: Pat Riehecky 
Subject: Security ERRATA Critical: openafs on SL5.x, SL6.x i386/x86_64
MIME-Version: 1.0

Synopsis: Critical: openafs on SL5.x, SL6.x i386/x86_64
Issue date: 2013-07-24
CVE Numbers: CVE-2013-4134
 CVE-2013-4135
--

OpenAFS uses Kerberos tickets to secure network traffic. For historical
reasons, it has only supported the DES encryption algorithm to encrypt these
tickets. The weakness of DES's 56 bit key space has long been known, however
it has recently become possible to use that weakness to cheaply (around $100)
and rapidly (approximately 23 hours) compromise a service's long term key. An
attacker must first obtain a ticket for the cell. They may then use a brute
force attack to compromise the cell's private service key. Once an attacker
has gained access to the service key, they can use this to impersonate any
user within the cell, including the super user, giving them access to all
administrative capabilities as well as all user data. Recovering the service
key from a DES encrypted ticket is an issue for any Kerberos service still
using DES (and especially so for realms which still have DES keys on their
ticket granting ticket). (CVE-2013-4134)

The -encrypt option to the 'vos' volume management command should cause it to
encrypt all data between client and server. However, in versions of OpenAFS
later than 1.6.0, it has no effect, and data is transmitted with integrity
protection only. In all versions of OpenAFS, vos -encrypt has no effect when
combined with the -localauth option. (CVE-2013-4135)
--

SL5
 x86_64
 kernel-module-openafs-2.6.18-308.20.1.el5-1.4.15-83.sl5.x86_64.rpm
 kernel-module-openafs-2.6.18-308.20.1.el5xen-1.4.15-83.sl5.x86_64.rpm
 kernel-module-openafs-2.6.18-348.12.1.el5-1.4.14-82.sl5.x86_64.rpm
 kernel-module-openafs-2.6.18-348.12.1.el5-1.4.15-83.sl5.x86_64.rpm
 kernel-module-openafs-2.6.18-348.12.1.el5xen-1.4.14-82.sl5.x86_64.rpm
 kernel-module-openafs-2.6.18-348.12.1.el5xen-1.4.15-83.sl5.x86_64.rpm
 kernel-module-openafs-2.6.18-348.6.1.el5-1.4.14-82.sl5.x86_64.rpm
 kernel-module-openafs-2.6.18-348.6.1.el5-1.4.15-83.sl5.x86_64.rpm
 kernel-module-openafs-2.6.18-348.6.1.el5xen-1.4.14-82.sl5.x86_64.rpm
 kernel-module-openafs-2.6.18-348.6.1.el5xen-1.4.15-83.sl5.x86_64.rpm
 openafs-1.4.15-83.sl5.x86_64.rpm
 openafs-authlibs-1.4.15-83.sl5.x86_64.rpm
 openafs-authlibs-devel-1.4.15-83.sl5.x86_64.rpm
 openafs-client-1.4.15-83.sl5.x86_64.rpm
 openafs-compat-1.4.15-83.sl5.x86_64.rpm
 openafs-debug-1.4.15-83.sl5.x86_64.rpm
 openafs-devel-1.4.15-83.sl5.x86_64.rpm
 openafs-kernel-source-1.4.15-83.sl5.x86_64.rpm
 openafs-kpasswd-1.4.15-83.sl5.x86_64.rpm
 openafs-krb5-1.4.15-83.sl5.x86_64.rpm
 openafs-server-1.4.15-83.sl5.x86_64.rpm

 i386
 kernel-module-openafs-2.6.18-308.20.1.el5-1.4.15-83.sl5.i686.rpm
 kernel-module-openafs-2.6.18-308.20.1.el5PAE-1.4.15-83.sl5.i686.rpm
 kernel-module-openafs-2.6.18-308.20.1.el5xen-1.4.15-83.sl5.i686.rpm
 kernel-module-openafs-2.6.18-348.12.1.el5-1.4.14-82.sl5.i686.rpm
 kernel-module-openafs-2.6.18-348.12.1.el5-1.4.15-83.sl5.i686.rpm
 kernel-module-openafs-2.6.18-348.12.1.el5PAE-1.4.14-82.sl5.i686.rpm
 kernel-module-openafs-2.6.18-348.12.1.el5PAE-1.4.15-83.sl5.i686.rpm
 kernel-module-openafs-2.6.18-348.12.1.el5xen-1.4.14-82.sl5.i686.rpm
 kernel-module-openafs-2.6.18-348.12.1.el5xen-1.4.15-83.sl5.i686.rpm
 kernel-module-openafs-2.6.18-348.6.1.el5-1.4.14-82.sl5.i686.rpm
 kernel-module-openafs-2.6.18-348.6.1.el5-1.4.15-83.sl5.i686.rpm
 kernel-module-openafs-2.6.18-348.6.1.el5PAE-1.4.14-82.sl5.i686.rpm
 kernel-module-openafs-2.6.18-348.6.1.el5PAE-1.4.15-83.sl5.i686.rpm
 kernel-module-openafs-2.6.18-348.6.1.el5xen-1.4.14-82.sl5.i686.rpm
 kernel-module-openafs-2.6.18-348.6.1.el5xen-1.4.15-83.sl5.i686.rpm
 openafs-1.4.15-83.sl5.i386.rpm
 openafs-authlibs-1.4.15-83.sl5.i386.rpm
 openafs-authlibs-devel-1.4.15-83.sl5.i386.rpm
 openafs-client-1.4.15-83.sl5.i386.rpm
 openafs-compat-1.4.15-83.sl5.i386.rpm
 openafs-debug-1.4.15-83.sl5.i386.rpm
 openafs-devel-1.4.15-83.sl5.i386.rpm
 openafs-kernel-source-1.4.15-83.sl5.i386.rpm
 openafs-kpasswd-1.4.15-83.sl5.i386.rpm
 openafs-krb5-1.4.15-83.sl5.i386.rpm
 openafs-server-1.4.15-83.sl5.i386.rpm
 srpm
 openafs-1.4.15-83.sl5.src.rpm
SL6
 x86_64
 kmod-openafs-358-1.6.5-145.sl6.358.x86_64.rpm
 openafs-1.6.5-145.sl6.x86_64.rpm
 openafs-authlibs-1.6.5-145.sl6.x86_64.rpm
 openafs-authlibs-devel-1.6.5-145.sl6.x86_64.rpm
 openafs-client-1.6.5-145.sl6.x86_64.rpm
 openafs-compat-1.6.5-145.sl6.x86_64.rpm
 openafs-devel-1.6.5-145.sl6.x86_64.rpm
 openafs-kernel-source-1.6.5-145.sl6.x86_64.rpm
 openafs-kpasswd-1.6.5-145.sl6.x86_64.rpm
 openafs-krb5-1.6.5-145.sl6.x86_64.rpm
 openafs-module-tools-1.6.5-145.sl6.x86_64.rpm
 openafs-plumbing-tools-1.6.5-145.sl6.x86_64.rpm
 openafs-server-1.6.5-145.sl6.x86_64.rpm
 i386
 kmod-openafs-358-1.6.5-145.sl6.358.i686.rpm
 openafs-1.6.5-145.sl6.i686.rpm
 openafs-authlibs-1.6.5-145.sl6.i686.rpm
 openafs-authlibs-devel-1.6.5-145.sl6.i686.rpm
 openafs-client-1.6.5-145.sl6.i686.rpm
 openafs-compat-1.6.5-145.sl6.i686.rpm
 openafs-devel-1.6.5-145.sl6.i686.rpm
 openafs-kernel-source-1.6.5-145.sl6.i686.rpm
 openafs-kpasswd-1.6.5-145.sl6.i686.rpm
 openafs-krb5-1.6.5-145.sl6.i686.rpm
 openafs-module-tools-1.6.5-145.sl6.i686.rpm
 openafs-plumbing-tools-1.6.5-145.sl6.i686.rpm
 openafs-server-1.6.5-145.sl6.i686.rpm
 srpm
 openafs-1.6.5-145.sl6.src.rpm

- Scientific Linux Development Team