Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2012-0698 trousers: DoS vulnerability in tcsd|
|Product:||[Other] Security Response||Reporter:||Kurt Seifried <kseifried>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||avagarwa, ejratl, luto, mschmidt, security-response-team, sgrubb, xjakub|
|Target Milestone:||---||Keywords:||Reopened, Security|
|Fixed In Version:||trousers 0.3.9||Doc Type:||Bug Fix|
A flaw was found in the way tcsd, the daemon that manages Trusted Computing resources, processed incoming TCP packets. A remote attacker could send a specially crafted TCP packet that, when processed by tcsd, could cause the daemon to crash. Note that by default tcsd accepts requests on localhost only.
|Last Closed:||2016-04-07 07:21:11 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||781666, 781667, 781668, 781669, 781670|
|Bug Blocks:||781650, 1101912|
Description Kurt Seifried 2012-01-13 20:51:51 EST
From Andy Lutomirski The attached Python script will segfault tcsd. This particular vulnerability is a read from an attacker-controlled address, so getting anything more severe than information disclosure out of it may be difficult. But there is a lot of fishy input validation, and it may be possible to persuade the code to write out of bounds as well. It is certainly possible to cause memory allocation failures, but I haven't seen one that's unchecked yet. Upstream report (currently private) here: https://sourceforge.net/tracker/?func=detail&atid=704358&aid=3473554&group_id=126012
Comment 1 Kurt Seifried 2012-01-13 20:53:25 EST
*** Bug 781637 has been marked as a duplicate of this bug. ***
Comment 4 Kurt Seifried 2012-01-14 00:49:02 EST
Confirmed on Fedora 16/Lenovo laptop with trousers-0.3.6-1.fc16, tscd crashed immediately with "Segmentation fault" (did it three times, pretty much the same each time): Jan 13 22:31:16 kseifrie kernel: [ 405.257750] tcsd: segfault at 7f719c0008c0 ip 0000000000000f3e sp 00007f7120dd3d70 error 4 in tcsd[400000+44000] Jan 13 22:33:47 kseifrie kernel: [ 556.162493] tcsd: segfault at 7f19240008c0 ip 0000000000000f3e sp 00007f18abfead70 error 4 in tcsd[400000+44000] Jan 13 22:34:40 kseifrie kernel: [ 608.781464] tcsd: segfault at 7f81c40008c0 ip 0000000000000f3e sp 00007f814bef9d70 error 4 in tcsd[400000+44000]
Comment 5 Kurt Seifried 2012-01-14 00:52:54 EST
Created trousers tracking bugs for this issue Affects: fedora-all [bug 781666]
Comment 9 Tomas Hoger 2012-01-16 06:07:15 EST
(In reply to comment #3) > This is CVE-2012-0698. Andy, who assigned that CVE? Was it requested from Mitre or does it come from some other naming authority pool?
Comment 10 Andy Lutomirski 2012-01-16 13:19:00 EST
It was assigned by Mitre.
Comment 11 Murray McAllister 2012-01-16 22:43:28 EST
Acknowledgements: Red Hat would like to thank Andrew Lutomirski for reporting this issue.
Comment 12 Andy Lutomirski 2012-04-24 00:24:32 EDT
There's a hard-to-find, somewhat unconvincing fix upstream. It's here: http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commit;h=ae0c2f8c1fd7a96ba0191f83b6057f8cbc51e786 The upstream report is now public, at https://sourceforge.net/tracker/index.php?func=detail&aid=3473554&group_id=126012&atid=704358 Feel free to mark this issue public as well.
Comment 13 Kurt Seifried 2012-11-15 23:37:29 EST
Statement: The Red Hat Security Response Team has rated this issue as having low security impact. Trousers is only useful on systems with TPM hardware, additionally local access is required to exploit of this issue. Exploitation of this issue only results in a crash of the tcsd daemon which can be restarted. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 14 Kurt Seifried 2012-12-08 21:29:55 EST
I have confirmed that tcsd listens to 127.0.0.1:30003 by default on Red Hat Enterprise Linux 6. I have also updated the whiteboard and CVSS2 score to reflect this.
Comment 16 Stefan Cornelius 2013-09-17 11:31:45 EDT
Fedora ships patched versions.
Comment 17 Martin Prpič 2014-10-06 03:57:37 EDT
IssueDescription: A flaw was found in the way tcsd, the daemon that manages Trusted Computing resources, processed incoming TCP packets. A remote attacker could send a specially crafted TCP packet that, when processed by tcsd, could cause the daemon to crash. Note that by default tcsd accepts requests on localhost only.