Date: Thu, 11 Oct 2012 11:12:27 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, Florian Weimer <fweimer@...hat.com>, Doug Ledford <dledford@...hat.com>, Sean Hefty <sean.hefty@...el.com> Subject: Re: CVE Request -- librdmacm (one issue) / ibacm (two issues) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/11/2012 09:47 AM, Jan Lieskovsky wrote: > Hello Kurt, Steve, vendors, > > multiple issues has been found in tools enabling InfiniBand > functionality: > > Issue #1 librdmacm - Tried to connect to port 6125 if ibacm.port > was not found: > =============================================================================== > > A security flaw was found in the way librdmacm, a userspace RDMA Communication > Managment API allowing to specify connections using TCP/IP > addresses even though it opens RDMA specific connections, performed > binding to the underlying ib_acm service (librdmacm used default > port value of 6125 to bind to ib_acm service). An attacker able to > run a rogue ib_acm service could use this flaw to make librdmacm > applications to use potentially bogus address resolution > information. > > References: https://bugzilla.redhat.com/show_bug.cgi?id=865483 > Upstream patch: > http://git.openfabrics.org/git?p=~shefty/librdmacm.git;a=commitdiff;h=4b5c1aa734e0e734fc2ba3cd41d0ddf02170af6d > > Credit: This issue was discovered by Florian Weimer of Red Hat > Product Security Team. Please use CVE-2012-4516 for this issue. > Issue #2 ibacm - DoS (ib_acm deamon crash) by joining responses for > multicast destinations: > =========================================================================================== > > A denial of service flaw was found in the way ibacm, an InfiniBand communication manager > assistant, performed management of reference counts for multicast > connections. The default reference count value for multicast > connection is set to zero and when the multicast connection got > released, an attempt was made to free it, possibly resulting in > ib_acm service / daemon crash. > > References: https://bugzilla.redhat.com/show_bug.cgi?id=865492 > Relevant upstream patch: > http://git.openfabrics.org/git?p=~shefty/ibacm.git;a=commit;h=c7d28b35d64333c262de3ec972c426423dadccf9 > > Issue previously corrected by upstream and its security > implications pointed out later by Florian Weimer of Red Hat Product > Security Team. Please use CVE-2012-4517 for this issue. > Issue #3 ibacm - ib_acm service files created with world writable > permissions (DoS): > ==================================================================================== > > A security flaw was found in the way ibacm, an InfiniBand communication manager > assistant, created files used by ib_acm service - they were created > with world writable permissions. A local attacker could use this > flaw to 1) overwrite content of ib_acm daemon log file or 2) > overwrite content of ib_acm daemon ibacm.port file (ability to mask > certain actions or cause ib_acm to run on non-default port). > > References: https://bugzilla.redhat.com/show_bug.cgi?id=865499 > Relevant upstream patch: > http://git.openfabrics.org/git?p=~shefty/ibacm.git;a=commit;h=d204fca2b6298d7799e918141ea8e11e7ad43cec > > Credit: This issue was discovered by Florian Weimer of Red Hat > Product Security Team. Please use CVE-2012-4518 for this issue. > -- > > Could you allocate CVE identifiers for these? > > Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat > Security Response Team > - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQdv36AAoJEBYNRVNeJnmTJaIQANaqPPVCYigZ6jDEWWbr5DZe I4k5zsP24O4d0tA8WwuPffIK9AxTqKkU8K1426/qBi98dtDyPFT6b/OL5wV8ldD/ NuLn89IwXw2zT4pmQRE+F5ftDirFdxuV6hivmDoipqrVYce+D7pzCQ/wSmmyuAhl eIWPgtsntXeMAFJUe5IsKSdHT2UN+dEikv87e9E9u6rDPr/SJkXfkxONhG7oofVP orMEcxJ2PZyeKK9YlKlGN2cD0hmAOh/5lHPxFTMWB9OUCEpXWIwRJN1hyn5zJ24g VpruCUXWpp3XLUM11iAfRd9/62CPMFKk623Ez3ncbUSJDDgHSY/CJGIFPeZU2uKJ DN4EB5DOjwTAhTjwamFcenxzqRGnuvwPKhdqmkZSyjX6Qgnwl/3sOhFt2ABzxem3 sN5pk45d/oRPYql5bbuK9F/L0tvCh+kaj5H5Tdr3M8ofWLdcYL+fyrVIOIapReU9 gPPjpX3T//Wy8HTsd0fZTQlfrdOF33JO9ZDo17Hnum0ubaTaUVy1dbxjk+6xyJ5Y H5WGk1Cc23Wflm8ZAowe53m3gTC9uXMdGRNmXJE3cW0m1OR4AVUZyrFK04c/q5Kc q0qHFond/61xSsoUuL/MnJvjDST6AO164RH+1ZQKFtYwnfqCH7T3mP57eIlOqxXf NgkPXAe26BihRRPHBTmH =jiA3 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ