Date: Thu, 04 Apr 2013 11:01:13 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Vincent Danen <vdanen@...hat.com> Subject: Re: CVE request: rpc-gssd is vulnerable to DNS spoofing -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/03/2013 04:43 PM, Vincent Danen wrote: > This has been discussed on the linux-nfs mailing list, so fully > public. Just cutting and pasting from our bugzilla: > > It was reported , that rpc.gssd in nfs-utils is vulnerable to > DNS spoofing due to it depending on PTR resolution for GSSAPI > authentication. Because of this, if a user where able to poison > DNS to a victim's computer, they would be able to trick rpc.gssd > into talking to another server (perhaps with less security) than > the intended server (with stricter security). If the victim has > write access to the second (less secure) server, and the attacker > has read access (when they normally might not on the secure > server), the victim could write files to that server, which the > attacker could obtain (when normally they would not be able to). > To the victim this is transparent because the victim's computer > asks the KDC for a ticket to the second server due to reverse DNS > resolution; in this case Krb5 authentication does not fail because > the victim is talking to the "correct" server. > > A patch that prevents this issue has been posted . > > To workaround this issue, set the IP/host pair in /etc/hosts so > that it cannot be spoofed. > > A good explanation is also available here . > >  http://marc.info/?l=linux-nfs&m=136491998607561&w=2  > http://marc.info/?l=linux-nfs&m=136500502805121&w=2  > http://marc.info/?l=linux-nfs&m=136493115612397&w=2  > http://ssimo.org/blog/id_015.html > > > https://bugzilla.redhat.com/show_bug.cgi?id=948072 > > > Since this is fairly new, I don't think a CVE would have been > requested already. Could one be assigned to this? Please use CVE-2013-1923 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRXbHZAAoJEBYNRVNeJnmTFYEP/1KxHQ6plRr16LsGL2iFEz8L Ku/gGd20IE1tWfoRiLObEsrK3ab8GcTztgQEK3i2YCmQxjF+rPDA4M7a2BH7XSDK tJqH6Ia4PKEXEl+kJsNQaDAkZjvWjOkkzpSNvVc/IQy6NkjcFMXtDh+ySRoRgDhS lo2KMxw0q6KMPNc9fumfKbejhGR5QRm4RwycfmhyE0t7JcoomjgR78bTwRIR1gL4 8PxA0E3P/7b5gfEq0eid8AN9GpiiDab7LmWVnTMPsirsKEiq6CEu6p7WICT7CsCH Xfz3ao24XO6LDmIJOnR7ecjafQcrdYFJDJM67Nh+TCxjjLrYVYrPIKptjJl7DPsq ou/FXfeHNR3BNiSg36NZZ0UnMP59tt3q2Fu6qsDR/QWDNxd1T/2CDs8W7ENVQzZS oRdTUWNOM/3MJvUywi6okmLMMQMySbNsa/V7xOlluc7TYr8QbzckTpdcFKQQVmmU gxFg6OrtUAfdaKftXDINlYsonVSPdJ46gCStYQ8D5DW/8Ug/HkSdbM85UOcUU8Ow 9+kAsNxeUBaykPoMQtJNtp6rd7pivhgb1T6TjGNlnY4EQ9j6iM/RhLFTKIApaDA8 scLftJs8PnCjufDEx3eE8/KtcWL75idfc0ImYgyPKHOzJFKBIxWHlPSutLP3z16r vW9pyE03/Ju4HSPCYiiL =r3i1 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ