SB2015110604 - Information disclosure in OpenAFS

Description

This security bulletin contains information about 1 vulnerability.

1) Information disclosure (CVE-ID: CVE-2015-7763)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

rx/rx.c in OpenAFS 1.5.75 through 1.5.78, 1.6.x before 1.6.15, and 1.7.x before 1.7.33 does not properly initialize padding at the end of an Rx acknowledgement (ACK) packet, which allows remote attackers to obtain sensitive information by (1) conducting a replay attack or (2) sniffing the network.

Remediation

Install update from vendor's website.

References

• http://www.debian.org/security/2015/dsa-3387
• http://www.securitytracker.com/id/1034039
• https://lists.openafs.org/pipermail/openafs-announce/2015/000493.html
• https://www.openafs.org/dl/openafs/1.6.15/RELNOTES-1.6.15
• https://www.openafs.org/pages/security/OPENAFS-SA-2015-007.txt