Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <1933475851.13533125.1375980941329.JavaMail.root@redhat.com>
Date: Thu, 8 Aug 2013 12:55:41 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
        Florian Weimer <fweimer@...hat.com>, Dan Williams <dcbw@...hat.com>
Subject: CVE Request -- Four flaws in WiMAX (afaik upstream is dead for
 this)

Hello Kurt, Steve, vendors,

  this is some kind of strange CVE request, since WiMAX upstream
seems to be dead already. Anyway, couple of security flaws were found
by Florian during security review:

* Issue #1: Log file created with insecure (world-writable) permissions
  https://bugzilla.redhat.com/show_bug.cgi?id=911122

  A security flaw was found in the way Trace module of WiMAX, an user space
  daemon for the Intel 2400m Wireless WiMAX link, used to set permissions
  when opening the log file (was created with world-readable / writable
  permissions). A local attacker could use this flaw to, in an unauthorized
  way, alter the content of WiMAX daemon log file (possibly leading to un-enforced
  actions to be performed by system administrator).

* Issue #2: (OSAL crypt module): By setting encrypted password writes unencrypted passwords to log files
  https://bugzilla.redhat.com/show_bug.cgi?id=911121

  A security flaw was found in the way OSAL crypt module of WiMAX, an user
  space daemon for the Intel 2400m Wireless WiMAX link, used to perform
  its internal encrypted password setting action (a failed attempt to set
  the encrypted password was logged into the WiMAX's log file with provided
  password logged in plaintext form). A local attacker could use this flaw
  to obtain sensitive information or conduct unauthorized actions on behalf
  of the user setting the encrypted password.

* Issue #3: Supplicant agent ships RSA private key in the package
  https://bugzilla.redhat.com/show_bug.cgi?id=911126

  A security flaw was found in the way supplicant agent of WiMAX,
  an user space daemon for the Intel 2400m Wireless WiMAX link, used to
  manage its private key (private key was shipped together with the source
  code). A local attacker could use this flaw to obtain security sensitive
  data or, to conduct actions on behalf of private key owner.

* Issue #4:  Three integer overflows, leading to heap-based buffer overflows when handling PDUs for L5 connections
  https://bugzilla.redhat.com/show_bug.cgi?id=911129

  Three cases of integer overflow, leading to heap-based buffer overflow flaw,
  were found in the way socket dispatcher and connector modules for L5
  connections of WiMAX, an user space daemon for the Intel 2400m Wireless
  WiMAX link, used to handle certain payload data units (PDUs) for L5
  connections. A remote attacker could issue a connection request with
  specially-crafted PDU value that, when processed would lead to socket
  dispatcher / connector module crash or, potentially, arbitrary code
  execution with the privileges of the user running these modules.

There are no patches for these issues yet. They were checked previously
privately with Dan Williams and the suggestion was to file public bugs
even when there are no patches available for these.

Could you allocate CVE ids for these?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.