Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request -- librdmacm (one issue) / ibacm (two issues)
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 11 Oct 2012 11:12:27 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/11/2012 09:47 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors,

multiple issues has been found in tools enabling InfiniBand
functionality:

Issue #1 librdmacm - Tried to connect to port 6125 if ibacm.port
was not found: 
===============================================================================


A security flaw was found in the way librdmacm, a userspace RDMA
Communication
Managment API allowing to specify connections using TCP/IP
addresses even though it opens RDMA specific connections, performed
binding to the underlying ib_acm service (librdmacm used default
port value of 6125 to bind to ib_acm service). An attacker able to
run a rogue ib_acm service could use this flaw to make librdmacm
applications to use potentially bogus address resolution
information.

References: https://bugzilla.redhat.com/show_bug.cgi?id=865483 
Upstream patch:
http://git.openfabrics.org/git?p=~shefty/librdmacm.git;a=commitdiff;h=4b5c1aa734e0e734fc2ba3cd41d0ddf02170af6d

 Credit: This issue was discovered by Florian Weimer of Red Hat
Product Security Team.

Please use CVE-2012-4516 for this issue.

Issue #2 ibacm - DoS (ib_acm deamon crash) by joining responses for
multicast destinations: 
===========================================================================================


A denial of service flaw was found in the way ibacm, an InfiniBand
communication manager
assistant, performed management of reference counts for multicast
connections. The default reference count value for multicast
connection is set to zero and when the multicast connection got
released, an attempt was made to free it, possibly resulting in
ib_acm service / daemon crash.

References: https://bugzilla.redhat.com/show_bug.cgi?id=865492 
Relevant upstream patch:
http://git.openfabrics.org/git?p=~shefty/ibacm.git;a=commit;h=c7d28b35d64333c262de3ec972c426423dadccf9

 Issue previously corrected by upstream and its security
implications pointed out later by Florian Weimer of Red Hat Product
Security Team.

Please use CVE-2012-4517 for this issue.

Issue #3 ibacm - ib_acm service files created with world writable
permissions (DoS): 
====================================================================================


A security flaw was found in the way ibacm, an InfiniBand communication
manager
assistant, created files used by ib_acm service - they were created
with world writable permissions. A local attacker could use this
flaw to 1) overwrite content of ib_acm daemon log file or 2)
overwrite content of ib_acm daemon ibacm.port file (ability to mask
certain actions or cause ib_acm to run on non-default port).

References: https://bugzilla.redhat.com/show_bug.cgi?id=865499 
Relevant upstream patch:
http://git.openfabrics.org/git?p=~shefty/ibacm.git;a=commit;h=d204fca2b6298d7799e918141ea8e11e7ad43cec

 Credit: This issue was discovered by Florian Weimer of Red Hat
Product Security Team.

Please use CVE-2012-4518 for this issue.

--

Could you allocate CVE identifiers for these?

Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
Security Response Team



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQdv36AAoJEBYNRVNeJnmTJaIQANaqPPVCYigZ6jDEWWbr5DZe
I4k5zsP24O4d0tA8WwuPffIK9AxTqKkU8K1426/qBi98dtDyPFT6b/OL5wV8ldD/
NuLn89IwXw2zT4pmQRE+F5ftDirFdxuV6hivmDoipqrVYce+D7pzCQ/wSmmyuAhl
eIWPgtsntXeMAFJUe5IsKSdHT2UN+dEikv87e9E9u6rDPr/SJkXfkxONhG7oofVP
orMEcxJ2PZyeKK9YlKlGN2cD0hmAOh/5lHPxFTMWB9OUCEpXWIwRJN1hyn5zJ24g
VpruCUXWpp3XLUM11iAfRd9/62CPMFKk623Ez3ncbUSJDDgHSY/CJGIFPeZU2uKJ
DN4EB5DOjwTAhTjwamFcenxzqRGnuvwPKhdqmkZSyjX6Qgnwl/3sOhFt2ABzxem3
sN5pk45d/oRPYql5bbuK9F/L0tvCh+kaj5H5Tdr3M8ofWLdcYL+fyrVIOIapReU9
gPPjpX3T//Wy8HTsd0fZTQlfrdOF33JO9ZDo17Hnum0ubaTaUVy1dbxjk+6xyJ5Y
H5WGk1Cc23Wflm8ZAowe53m3gTC9uXMdGRNmXJE3cW0m1OR4AVUZyrFK04c/q5Kc
q0qHFond/61xSsoUuL/MnJvjDST6AO164RH+1ZQKFtYwnfqCH7T3mP57eIlOqxXf
NgkPXAe26BihRRPHBTmH
=jiA3
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]