Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 08 Aug 2013 11:20:05 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>,
        Florian Weimer <fweimer@...hat.com>, Dan Williams <dcbw@...hat.com>
Subject: Re: CVE Request -- Four flaws in WiMAX (afaik upstream
 is dead for this)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/08/2013 10:55 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> this is some kind of strange CVE request, since WiMAX upstream 
> seems to be dead already. Anyway, couple of security flaws were
> found by Florian during security review:

Top posting:

CVE-2013-4216 WiMAX Log file created with insecure (world-writable)
permissions

CVE-2013-4217 WiMAX (OSAL crypt module): By setting encrypted password
writes unencrypted passwords to log files

CVE-2013-4218 WiMAX Supplicant agent ships RSA private key in the package

CVE-2013-4219 WiMAX Three integer overflows, leading to heap-based
buffer overflows when handling PDUs for L5 connections

> 
> * Issue #1: Log file created with insecure (world-writable)
> permissions https://bugzilla.redhat.com/show_bug.cgi?id=911122
> 
> A security flaw was found in the way Trace module of WiMAX, an user
> space daemon for the Intel 2400m Wireless WiMAX link, used to set
> permissions when opening the log file (was created with
> world-readable / writable permissions). A local attacker could use
> this flaw to, in an unauthorized way, alter the content of WiMAX
> daemon log file (possibly leading to un-enforced actions to be
> performed by system administrator).
> 
> * Issue #2: (OSAL crypt module): By setting encrypted password
> writes unencrypted passwords to log files 
> https://bugzilla.redhat.com/show_bug.cgi?id=911121
> 
> A security flaw was found in the way OSAL crypt module of WiMAX, an
> user space daemon for the Intel 2400m Wireless WiMAX link, used to
> perform its internal encrypted password setting action (a failed
> attempt to set the encrypted password was logged into the WiMAX's
> log file with provided password logged in plaintext form). A local
> attacker could use this flaw to obtain sensitive information or
> conduct unauthorized actions on behalf of the user setting the
> encrypted password.
> 
> * Issue #3: Supplicant agent ships RSA private key in the package 
> https://bugzilla.redhat.com/show_bug.cgi?id=911126
> 
> A security flaw was found in the way supplicant agent of WiMAX, an
> user space daemon for the Intel 2400m Wireless WiMAX link, used to 
> manage its private key (private key was shipped together with the
> source code). A local attacker could use this flaw to obtain
> security sensitive data or, to conduct actions on behalf of private
> key owner.
> 
> * Issue #4:  Three integer overflows, leading to heap-based buffer
> overflows when handling PDUs for L5 connections 
> https://bugzilla.redhat.com/show_bug.cgi?id=911129
> 
> Three cases of integer overflow, leading to heap-based buffer
> overflow flaw, were found in the way socket dispatcher and
> connector modules for L5 connections of WiMAX, an user space daemon
> for the Intel 2400m Wireless WiMAX link, used to handle certain
> payload data units (PDUs) for L5 connections. A remote attacker
> could issue a connection request with specially-crafted PDU value
> that, when processed would lead to socket dispatcher / connector
> module crash or, potentially, arbitrary code execution with the
> privileges of the user running these modules.
> 
> There are no patches for these issues yet. They were checked
> previously privately with Dan Williams and the suggestion was to
> file public bugs even when there are no patches available for
> these.
> 
> Could you allocate CVE ids for these?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJSA9NFAAoJEBYNRVNeJnmTfbIP/0luLUyJmNS5Sva5fqf3O0mr
TtATSCnm8xS1apW6CdeLZTatX/3XzOpHZGwtf6anHhAao7iNH23iLmS0+WbuEprq
O4M8DjNbPB+YYCyod34OwsymtB0hr2CNgHIn9BSjI9Tfn6/E5NcNtQatVCbchmGg
GHC2MvUygo+wudOx/Tyl4mvmlAa/UAW4u1bk1G/szREXUq8UfAvyJyhdb98jAPhA
4+ZYojL7PHv8fI16KLo4W9UGNVd7xhpnYMc9ksX4LZosEhNZf0h/jkESkn0hxiVa
dAIMjJrE0t7VHgFy9hAKbLt4oYXrOrjQ/dp9npQ7SZDABXkVyJMz4iEEwb4nwQeQ
npWqXaaG9wQpHHDy/LWt32Ghw33l0W4uxBmSQEGcmAQL/o2xkx+pf6mMtazTPOmG
5S3Uw0rVRpMIavhSqgFeo0HBwSCtadR1aBuroze4OoGmCE7PjEtXwHSjo382fCi8
hgCBiA2XT0gZA1hxG7aJ5geEpl3A4/vipWYJqXPfNph8CbFGMk5ek0BoRowqsYFQ
j/I83zm5lTFc2XLytjKhr6mbOB5z09OvBaJ/9K47CH4vEDqrdmRb7W8wbYCfVFgI
Dnv1lMuBvbQG4ppz47xYJF2xMDdmgr7rIOqNk2HD+ZmLUlnfqhlJYinGjjjVQPhG
Qs5ZMAeNxr7Cu9Kd2pxL
=7nB1
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ