Date: Thu, 08 Aug 2013 11:20:05 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, Florian Weimer <fweimer@...hat.com>, Dan Williams <dcbw@...hat.com> Subject: Re: CVE Request -- Four flaws in WiMAX (afaik upstream is dead for this) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/08/2013 10:55 AM, Jan Lieskovsky wrote: > Hello Kurt, Steve, vendors, > > this is some kind of strange CVE request, since WiMAX upstream > seems to be dead already. Anyway, couple of security flaws were > found by Florian during security review: Top posting: CVE-2013-4216 WiMAX Log file created with insecure (world-writable) permissions CVE-2013-4217 WiMAX (OSAL crypt module): By setting encrypted password writes unencrypted passwords to log files CVE-2013-4218 WiMAX Supplicant agent ships RSA private key in the package CVE-2013-4219 WiMAX Three integer overflows, leading to heap-based buffer overflows when handling PDUs for L5 connections > > * Issue #1: Log file created with insecure (world-writable) > permissions https://bugzilla.redhat.com/show_bug.cgi?id=911122 > > A security flaw was found in the way Trace module of WiMAX, an user > space daemon for the Intel 2400m Wireless WiMAX link, used to set > permissions when opening the log file (was created with > world-readable / writable permissions). A local attacker could use > this flaw to, in an unauthorized way, alter the content of WiMAX > daemon log file (possibly leading to un-enforced actions to be > performed by system administrator). > > * Issue #2: (OSAL crypt module): By setting encrypted password > writes unencrypted passwords to log files > https://bugzilla.redhat.com/show_bug.cgi?id=911121 > > A security flaw was found in the way OSAL crypt module of WiMAX, an > user space daemon for the Intel 2400m Wireless WiMAX link, used to > perform its internal encrypted password setting action (a failed > attempt to set the encrypted password was logged into the WiMAX's > log file with provided password logged in plaintext form). A local > attacker could use this flaw to obtain sensitive information or > conduct unauthorized actions on behalf of the user setting the > encrypted password. > > * Issue #3: Supplicant agent ships RSA private key in the package > https://bugzilla.redhat.com/show_bug.cgi?id=911126 > > A security flaw was found in the way supplicant agent of WiMAX, an > user space daemon for the Intel 2400m Wireless WiMAX link, used to > manage its private key (private key was shipped together with the > source code). A local attacker could use this flaw to obtain > security sensitive data or, to conduct actions on behalf of private > key owner. > > * Issue #4: Three integer overflows, leading to heap-based buffer > overflows when handling PDUs for L5 connections > https://bugzilla.redhat.com/show_bug.cgi?id=911129 > > Three cases of integer overflow, leading to heap-based buffer > overflow flaw, were found in the way socket dispatcher and > connector modules for L5 connections of WiMAX, an user space daemon > for the Intel 2400m Wireless WiMAX link, used to handle certain > payload data units (PDUs) for L5 connections. A remote attacker > could issue a connection request with specially-crafted PDU value > that, when processed would lead to socket dispatcher / connector > module crash or, potentially, arbitrary code execution with the > privileges of the user running these modules. > > There are no patches for these issues yet. They were checked > previously privately with Dan Williams and the suggestion was to > file public bugs even when there are no patches available for > these. > > Could you allocate CVE ids for these? > > Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat > Security Response Team > - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJSA9NFAAoJEBYNRVNeJnmTfbIP/0luLUyJmNS5Sva5fqf3O0mr TtATSCnm8xS1apW6CdeLZTatX/3XzOpHZGwtf6anHhAao7iNH23iLmS0+WbuEprq O4M8DjNbPB+YYCyod34OwsymtB0hr2CNgHIn9BSjI9Tfn6/E5NcNtQatVCbchmGg GHC2MvUygo+wudOx/Tyl4mvmlAa/UAW4u1bk1G/szREXUq8UfAvyJyhdb98jAPhA 4+ZYojL7PHv8fI16KLo4W9UGNVd7xhpnYMc9ksX4LZosEhNZf0h/jkESkn0hxiVa dAIMjJrE0t7VHgFy9hAKbLt4oYXrOrjQ/dp9npQ7SZDABXkVyJMz4iEEwb4nwQeQ npWqXaaG9wQpHHDy/LWt32Ghw33l0W4uxBmSQEGcmAQL/o2xkx+pf6mMtazTPOmG 5S3Uw0rVRpMIavhSqgFeo0HBwSCtadR1aBuroze4OoGmCE7PjEtXwHSjo382fCi8 hgCBiA2XT0gZA1hxG7aJ5geEpl3A4/vipWYJqXPfNph8CbFGMk5ek0BoRowqsYFQ j/I83zm5lTFc2XLytjKhr6mbOB5z09OvBaJ/9K47CH4vEDqrdmRb7W8wbYCfVFgI Dnv1lMuBvbQG4ppz47xYJF2xMDdmgr7rIOqNk2HD+ZmLUlnfqhlJYinGjjjVQPhG Qs5ZMAeNxr7Cu9Kd2pxL =7nB1 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ