Re: CVE Request -- librdmacm (one issue) / ibacm (two issues)

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/11/2012 09:47 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
>
> multiple issues has been found in tools enabling InfiniBand
> functionality:
>
> Issue #1 librdmacm - Tried to connect to port 6125 if ibacm.port
> was not found: 
> ===============================================================================
A security flaw was found in the way librdmacm, a userspace RDMA
Communication
> Managment API allowing to specify connections using TCP/IP
> addresses even though it opens RDMA specific connections, performed
> binding to the underlying ib_acm service (librdmacm used default
> port value of 6125 to bind to ib_acm service). An attacker able to
> run a rogue ib_acm service could use this flaw to make librdmacm
> applications to use potentially bogus address resolution
> information.
>
> References: https://bugzilla.redhat.com/show_bug.cgi?id=865483 
> Upstream patch:
> http://git.openfabrics.org/git?p=~shefty/librdmacm.git;a=commitdiff;h=4b5c1aa734e0e734fc2ba3cd41d0ddf02170af6d
>
>  Credit: This issue was discovered by Florian Weimer of Red Hat
> Product Security Team.

Please use CVE-2012-4516 for this issue.

> Issue #2 ibacm - DoS (ib_acm deamon crash) by joining responses for
> multicast destinations: 
> ===========================================================================================
A denial of service flaw was found in the way ibacm, an InfiniBand
communication manager
> assistant, performed management of reference counts for multicast
> connections. The default reference count value for multicast
> connection is set to zero and when the multicast connection got
> released, an attempt was made to free it, possibly resulting in
> ib_acm service / daemon crash.
>
> References: https://bugzilla.redhat.com/show_bug.cgi?id=865492 
> Relevant upstream patch:
> http://git.openfabrics.org/git?p=~shefty/ibacm.git;a=commit;h=c7d28b35d64333c262de3ec972c426423dadccf9
>
>  Issue previously corrected by upstream and its security
> implications pointed out later by Florian Weimer of Red Hat Product
> Security Team.

Please use CVE-2012-4517 for this issue.

> Issue #3 ibacm - ib_acm service files created with world writable
> permissions (DoS): 
> ====================================================================================
A security flaw was found in the way ibacm, an InfiniBand communication
manager
> assistant, created files used by ib_acm service - they were created
> with world writable permissions. A local attacker could use this
> flaw to 1) overwrite content of ib_acm daemon log file or 2)
> overwrite content of ib_acm daemon ibacm.port file (ability to mask
> certain actions or cause ib_acm to run on non-default port).
>
> References: https://bugzilla.redhat.com/show_bug.cgi?id=865499 
> Relevant upstream patch:
> http://git.openfabrics.org/git?p=~shefty/ibacm.git;a=commit;h=d204fca2b6298d7799e918141ea8e11e7ad43cec
>
>  Credit: This issue was discovered by Florian Weimer of Red Hat
> Product Security Team.

Please use CVE-2012-4518 for this issue.

> --
>
> Could you allocate CVE identifiers for these?
>
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQdv36AAoJEBYNRVNeJnmTJaIQANaqPPVCYigZ6jDEWWbr5DZe
I4k5zsP24O4d0tA8WwuPffIK9AxTqKkU8K1426/qBi98dtDyPFT6b/OL5wV8ldD/
NuLn89IwXw2zT4pmQRE+F5ftDirFdxuV6hivmDoipqrVYce+D7pzCQ/wSmmyuAhl
eIWPgtsntXeMAFJUe5IsKSdHT2UN+dEikv87e9E9u6rDPr/SJkXfkxONhG7oofVP
orMEcxJ2PZyeKK9YlKlGN2cD0hmAOh/5lHPxFTMWB9OUCEpXWIwRJN1hyn5zJ24g
VpruCUXWpp3XLUM11iAfRd9/62CPMFKk623Ez3ncbUSJDDgHSY/CJGIFPeZU2uKJ
DN4EB5DOjwTAhTjwamFcenxzqRGnuvwPKhdqmkZSyjX6Qgnwl/3sOhFt2ABzxem3
sN5pk45d/oRPYql5bbuK9F/L0tvCh+kaj5H5Tdr3M8ofWLdcYL+fyrVIOIapReU9
gPPjpX3T//Wy8HTsd0fZTQlfrdOF33JO9ZDo17Hnum0ubaTaUVy1dbxjk+6xyJ5Y
H5WGk1Cc23Wflm8ZAowe53m3gTC9uXMdGRNmXJE3cW0m1OR4AVUZyrFK04c/q5Kc
q0qHFond/61xSsoUuL/MnJvjDST6AO164RH+1ZQKFtYwnfqCH7T3mP57eIlOqxXf
NgkPXAe26BihRRPHBTmH
=jiA3
-----END PGP SIGNATURE-----