oss-sec mailing list archives
Re: CVE Request -- librdmacm (one issue) / ibacm (two issues)
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 11 Oct 2012 11:12:27 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/11/2012 09:47 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors, multiple issues has been found in tools enabling InfiniBand functionality: Issue #1 librdmacm - Tried to connect to port 6125 if ibacm.port was not found: ===============================================================================
A security flaw was found in the way librdmacm, a userspace RDMA Communication
Managment API allowing to specify connections using TCP/IP addresses even though it opens RDMA specific connections, performed binding to the underlying ib_acm service (librdmacm used default port value of 6125 to bind to ib_acm service). An attacker able to run a rogue ib_acm service could use this flaw to make librdmacm applications to use potentially bogus address resolution information. References: https://bugzilla.redhat.com/show_bug.cgi?id=865483 Upstream patch: http://git.openfabrics.org/git?p=~shefty/librdmacm.git;a=commitdiff;h=4b5c1aa734e0e734fc2ba3cd41d0ddf02170af6d Credit: This issue was discovered by Florian Weimer of Red Hat Product Security Team.
Please use CVE-2012-4516 for this issue.
Issue #2 ibacm - DoS (ib_acm deamon crash) by joining responses for multicast destinations: ===========================================================================================
A denial of service flaw was found in the way ibacm, an InfiniBand communication manager
assistant, performed management of reference counts for multicast connections. The default reference count value for multicast connection is set to zero and when the multicast connection got released, an attempt was made to free it, possibly resulting in ib_acm service / daemon crash. References: https://bugzilla.redhat.com/show_bug.cgi?id=865492 Relevant upstream patch: http://git.openfabrics.org/git?p=~shefty/ibacm.git;a=commit;h=c7d28b35d64333c262de3ec972c426423dadccf9 Issue previously corrected by upstream and its security implications pointed out later by Florian Weimer of Red Hat Product Security Team.
Please use CVE-2012-4517 for this issue.
Issue #3 ibacm - ib_acm service files created with world writable permissions (DoS): ====================================================================================
A security flaw was found in the way ibacm, an InfiniBand communication manager
assistant, created files used by ib_acm service - they were created with world writable permissions. A local attacker could use this flaw to 1) overwrite content of ib_acm daemon log file or 2) overwrite content of ib_acm daemon ibacm.port file (ability to mask certain actions or cause ib_acm to run on non-default port). References: https://bugzilla.redhat.com/show_bug.cgi?id=865499 Relevant upstream patch: http://git.openfabrics.org/git?p=~shefty/ibacm.git;a=commit;h=d204fca2b6298d7799e918141ea8e11e7ad43cec Credit: This issue was discovered by Florian Weimer of Red Hat Product Security Team.
Please use CVE-2012-4518 for this issue.
-- Could you allocate CVE identifiers for these? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQdv36AAoJEBYNRVNeJnmTJaIQANaqPPVCYigZ6jDEWWbr5DZe I4k5zsP24O4d0tA8WwuPffIK9AxTqKkU8K1426/qBi98dtDyPFT6b/OL5wV8ldD/ NuLn89IwXw2zT4pmQRE+F5ftDirFdxuV6hivmDoipqrVYce+D7pzCQ/wSmmyuAhl eIWPgtsntXeMAFJUe5IsKSdHT2UN+dEikv87e9E9u6rDPr/SJkXfkxONhG7oofVP orMEcxJ2PZyeKK9YlKlGN2cD0hmAOh/5lHPxFTMWB9OUCEpXWIwRJN1hyn5zJ24g VpruCUXWpp3XLUM11iAfRd9/62CPMFKk623Ez3ncbUSJDDgHSY/CJGIFPeZU2uKJ DN4EB5DOjwTAhTjwamFcenxzqRGnuvwPKhdqmkZSyjX6Qgnwl/3sOhFt2ABzxem3 sN5pk45d/oRPYql5bbuK9F/L0tvCh+kaj5H5Tdr3M8ofWLdcYL+fyrVIOIapReU9 gPPjpX3T//Wy8HTsd0fZTQlfrdOF33JO9ZDo17Hnum0ubaTaUVy1dbxjk+6xyJ5Y H5WGk1Cc23Wflm8ZAowe53m3gTC9uXMdGRNmXJE3cW0m1OR4AVUZyrFK04c/q5Kc q0qHFond/61xSsoUuL/MnJvjDST6AO164RH+1ZQKFtYwnfqCH7T3mP57eIlOqxXf NgkPXAe26BihRRPHBTmH =jiA3 -----END PGP SIGNATURE-----
Current thread:
- CVE Request -- librdmacm (one issue) / ibacm (two issues) Jan Lieskovsky (Oct 11)
- Re: CVE Request -- librdmacm (one issue) / ibacm (two issues) Kurt Seifried (Oct 11)