Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 08 Aug 2013 11:20:05 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>,
        Florian Weimer <fweimer@...hat.com>, Dan Williams <dcbw@...hat.com>
Subject: Re: CVE Request -- Four flaws in WiMAX (afaik upstream
 is dead for this)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/08/2013 10:55 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> this is some kind of strange CVE request, since WiMAX upstream 
> seems to be dead already. Anyway, couple of security flaws were
> found by Florian during security review:

Top posting:

CVE-2013-4216 WiMAX Log file created with insecure (world-writable)
permissions

CVE-2013-4217 WiMAX (OSAL crypt module): By setting encrypted password
writes unencrypted passwords to log files

CVE-2013-4218 WiMAX Supplicant agent ships RSA private key in the package

CVE-2013-4219 WiMAX Three integer overflows, leading to heap-based
buffer overflows when handling PDUs for L5 connections

> 
> * Issue #1: Log file created with insecure (world-writable)
> permissions https://bugzilla.redhat.com/show_bug.cgi?id=911122
> 
> A security flaw was found in the way Trace module of WiMAX, an user
> space daemon for the Intel 2400m Wireless WiMAX link, used to set
> permissions when opening the log file (was created with
> world-readable / writable permissions). A local attacker could use
> this flaw to, in an unauthorized way, alter the content of WiMAX
> daemon log file (possibly leading to un-enforced actions to be
> performed by system administrator).
> 
> * Issue #2: (OSAL crypt module): By setting encrypted password
> writes unencrypted passwords to log files 
> https://bugzilla.redhat.com/show_bug.cgi?id=911121
> 
> A security flaw was found in the way OSAL crypt module of WiMAX, an
> user space daemon for the Intel 2400m Wireless WiMAX link, used to
> perform its internal encrypted password setting action (a failed
> attempt to set the encrypted password was logged into the WiMAX's
> log file with provided password logged in plaintext form). A local
> attacker could use this flaw to obtain sensitive information or
> conduct unauthorized actions on behalf of the user setting the
> encrypted password.
> 
> * Issue #3: Supplicant agent ships RSA private key in the package 
> https://bugzilla.redhat.com/show_bug.cgi?id=911126
> 
> A security flaw was found in the way supplicant agent of WiMAX, an
> user space daemon for the Intel 2400m Wireless WiMAX link, used to 
> manage its private key (private key was shipped together with the
> source code). A local attacker could use this flaw to obtain
> security sensitive data or, to conduct actions on behalf of private
> key owner.
> 
> * Issue #4:  Three integer overflows, leading to heap-based buffer
> overflows when handling PDUs for L5 connections 
> https://bugzilla.redhat.com/show_bug.cgi?id=911129
> 
> Three cases of integer overflow, leading to heap-based buffer
> overflow flaw, were found in the way socket dispatcher and
> connector modules for L5 connections of WiMAX, an user space daemon
> for the Intel 2400m Wireless WiMAX link, used to handle certain
> payload data units (PDUs) for L5 connections. A remote attacker
> could issue a connection request with specially-crafted PDU value
> that, when processed would lead to socket dispatcher / connector
> module crash or, potentially, arbitrary code execution with the
> privileges of the user running these modules.
> 
> There are no patches for these issues yet. They were checked
> previously privately with Dan Williams and the suggestion was to
> file public bugs even when there are no patches available for
> these.
> 
> Could you allocate CVE ids for these?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJSA9NFAAoJEBYNRVNeJnmTfbIP/0luLUyJmNS5Sva5fqf3O0mr
TtATSCnm8xS1apW6CdeLZTatX/3XzOpHZGwtf6anHhAao7iNH23iLmS0+WbuEprq
O4M8DjNbPB+YYCyod34OwsymtB0hr2CNgHIn9BSjI9Tfn6/E5NcNtQatVCbchmGg
GHC2MvUygo+wudOx/Tyl4mvmlAa/UAW4u1bk1G/szREXUq8UfAvyJyhdb98jAPhA
4+ZYojL7PHv8fI16KLo4W9UGNVd7xhpnYMc9ksX4LZosEhNZf0h/jkESkn0hxiVa
dAIMjJrE0t7VHgFy9hAKbLt4oYXrOrjQ/dp9npQ7SZDABXkVyJMz4iEEwb4nwQeQ
npWqXaaG9wQpHHDy/LWt32Ghw33l0W4uxBmSQEGcmAQL/o2xkx+pf6mMtazTPOmG
5S3Uw0rVRpMIavhSqgFeo0HBwSCtadR1aBuroze4OoGmCE7PjEtXwHSjo382fCi8
hgCBiA2XT0gZA1hxG7aJ5geEpl3A4/vipWYJqXPfNph8CbFGMk5ek0BoRowqsYFQ
j/I83zm5lTFc2XLytjKhr6mbOB5z09OvBaJ/9K47CH4vEDqrdmRb7W8wbYCfVFgI
Dnv1lMuBvbQG4ppz47xYJF2xMDdmgr7rIOqNk2HD+ZmLUlnfqhlJYinGjjjVQPhG
Qs5ZMAeNxr7Cu9Kd2pxL
=7nB1
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.