Vulnerability CVE-2009-1250


Published: 2009-04-08   Modified: 2011-01-26

Description:
The cache manager in the client in OpenAFS 1.0 through 1.4.8 and 1.5.0 through 1.5.58, and IBM AFS 3.6 before Patch 19, on Linux allows remote attackers to cause a denial of service (system crash) via an RX response with a large error-code value that is interpreted as a pointer and dereferenced, related to use of the ERR_PTR macro.

Type:

CWE-189

(Numeric Errors)

Vendor: IBM
Product: AFS 
Version: 3.6;
Vendor: Openafs
Product: Openafs 
Version:
1.5.58
1.5.57
1.5.56
1.5.55
1.5.54
1.5.53
1.5.52
1.5.50
1.5.39
1.5.38
1.5.36
1.5.35
1.5.34
1.5.33
1.5.32
1.5.31
1.5.30
1.5.27
1.5.26
1.5.17
1.5.16
1.5
1.4.8_pre3
1.4.8_pre2
1.4.8_pre1
1.4.8
1.4.7_pre5
1.4.7_pre4
1.4.7_pre3
1.4.7_pre2
1.4.7_pre1
1.4.7
1.4.6
1.4.5
1.4.4
1.4.3
1.4.0
1.4
1.3.81
1.3.77
1.3.74
1.3.70
1.3.5
1.3.2
1.3.1
1.3
1.2.9
1.2.8
1.2.7
1.2.6
1.2.5
1.2.4
1.2.3
1.2.2b
1.2.2a
1.2.2
1.2.13
1.2.11
1.2.10
1.2.1
1.2
1.1.1a
1.1.1
1.1.0
1.1
1.0.4a
1.0.4
1.0.3
1.0.2
1.0.1
1.0

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.8/10
6.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Complete

 References:
http://www.vupen.com/english/advisories/2011/0117
http://www.vupen.com/english/advisories/2009/0984
http://www.securityfocus.com/bid/34404
http://www.openafs.org/security/OPENAFS-SA-2009-002.txt
http://www.openafs.org/security/openafs-sa-2009-002.patch
http://www.mandriva.com/security/advisories?name=MDVSA-2009:099
http://www.debian.org/security/2009/dsa-1768
http://www-1.ibm.com/support/docview.wss?uid=swg1ID71123
http://www-01.ibm.com/support/docview.wss?uid=swg21396389
http://security.gentoo.org/glsa/glsa-201101-05.xml
http://secunia.com/advisories/42896
http://secunia.com/advisories/36310
http://secunia.com/advisories/34684
http://secunia.com/advisories/34655

Related CVE
CVE-2016-9772
OpenAFS 1.6.19 and earlier allows remote attackers to obtain sensitive directory information via vectors involving the (1) client cache partition, (2) fileserver vice partition, or (3) certain RPC responses.
CVE-2016-4536
The client in OpenAFS before 1.6.17 does not properly initialize the (1) AFSStoreStatus, (2) AFSStoreVolumeStatus, (3) VldbListByAttributes, and (4) ListAddrByAttributes structures, which might allow remote attackers to obtain sensitive memory inform...
CVE-2016-2860
The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17 allows remote authenticated users from foreign Kerberos realms to bypass intended access restrictions and create arbitrary groups as administrators by leveraging mishandling of the ...
CVE-2015-8312
Off-by-one error in afs_pioctl.c in OpenAFS before 1.6.16 might allow local users to cause a denial of service (memory overwrite and system crash) via a pioctl with an input buffer size of 4096 bytes.
CVE-2015-7762
rx/rx.c in OpenAFS before 1.6.15 and 1.7.x before 1.7.33 does not properly initialize the padding of a data structure when constructing an Rx acknowledgement (ACK) packet, which allows remote attackers to obtain sensitive information by (1) conductin...
CVE-2015-7763
rx/rx.c in OpenAFS 1.5.75 through 1.5.78, 1.6.x before 1.6.15, and 1.7.x before 1.7.33 does not properly initialize padding at the end of an Rx acknowledgement (ACK) packet, which allows remote attackers to obtain sensitive information by (1) conduct...
CVE-2015-6587
The vlserver in OpenAFS before 1.6.13 allows remote authenticated users to cause a denial of service (out-of-bounds read and crash) via a crafted regular expression in a VL_ListAttributesN2 RPC.
CVE-2015-3287
The vlserver in OpenAFS before 1.6.13 allows remote authenticated users to cause a denial of service (out-of-bounds read and crash) via a crafted regular expression in a VL_ListAttributesN2 RPC.

Copyright 2017, cxsecurity.com

 

Back to Top