Bug 781648 (CVE-2012-0698)

Summary: CVE-2012-0698 trousers: DoS vulnerability in tcsd
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: avagarwa, ejratl, luto, mschmidt, security-response-team, sgrubb, xjakub
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120113,reported=20120113,source=upstream,cvss2=2.1/AV:L/AC:L/Au:N/C:N/I:N/A:P,fedora-all/trousers=affected,rhel-5/trousers=wontfix,rhel-6/trousers=affected
Fixed In Version: trousers 0.3.9 Doc Type: Bug Fix
Doc Text:
A flaw was found in the way tcsd, the daemon that manages Trusted Computing resources, processed incoming TCP packets. A remote attacker could send a specially crafted TCP packet that, when processed by tcsd, could cause the daemon to crash. Note that by default tcsd accepts requests on localhost only.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-07 07:21:11 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 781666, 781667, 781668, 781669, 781670    
Bug Blocks: 781650, 1101912    

Description Kurt Seifried 2012-01-13 20:51:51 EST
From Andy Lutomirski

The attached Python script will segfault tcsd.

This particular vulnerability is a read from an attacker-controlled address, so
getting anything more severe than information disclosure out of it may be
difficult.  But there is a lot of fishy input validation, and it may be
possible to persuade the code to write out of bounds as well.  It is certainly
possible to cause memory allocation failures, but I haven't seen one that's
unchecked yet.

Upstream report (currently private) here:
https://sourceforge.net/tracker/?func=detail&atid=704358&aid=3473554&group_id=126012
Comment 1 Kurt Seifried 2012-01-13 20:53:25 EST
*** Bug 781637 has been marked as a duplicate of this bug. ***
Comment 3 Andy Lutomirski 2012-01-13 22:12:11 EST
This is CVE-2012-0698.
Comment 4 Kurt Seifried 2012-01-14 00:49:02 EST
Confirmed on Fedora 16/Lenovo laptop with trousers-0.3.6-1.fc16, tscd crashed
immediately with "Segmentation fault" (did it three times, pretty much the same
each time):

Jan 13 22:31:16 kseifrie kernel: [  405.257750] tcsd[2144]: segfault at
7f719c0008c0 ip 0000000000000f3e sp 00007f7120dd3d70 error 4 in
tcsd[400000+44000]

Jan 13 22:33:47 kseifrie kernel: [  556.162493] tcsd[2168]: segfault at
7f19240008c0 ip 0000000000000f3e sp 00007f18abfead70 error 4 in
tcsd[400000+44000]

Jan 13 22:34:40 kseifrie kernel: [  608.781464] tcsd[2195]: segfault at
7f81c40008c0 ip 0000000000000f3e sp 00007f814bef9d70 error 4 in
tcsd[400000+44000]
Comment 5 Kurt Seifried 2012-01-14 00:52:54 EST
Created trousers tracking bugs for this issue

Affects: fedora-all [bug 781666]
Comment 9 Tomas Hoger 2012-01-16 06:07:15 EST
(In reply to comment #3)
> This is CVE-2012-0698.

Andy, who assigned that CVE?  Was it requested from Mitre or does it come from some other naming authority pool?
Comment 10 Andy Lutomirski 2012-01-16 13:19:00 EST
It was assigned by Mitre.
Comment 11 Murray McAllister 2012-01-16 22:43:28 EST
Acknowledgements:

Red Hat would like to thank Andrew Lutomirski for reporting this issue.
Comment 12 Andy Lutomirski 2012-04-24 00:24:32 EDT
There's a hard-to-find, somewhat unconvincing fix upstream.  It's here:

http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commit;h=ae0c2f8c1fd7a96ba0191f83b6057f8cbc51e786

The upstream report is now public, at https://sourceforge.net/tracker/index.php?func=detail&aid=3473554&group_id=126012&atid=704358

Feel free to mark this issue public as well.
Comment 13 Kurt Seifried 2012-11-15 23:37:29 EST
Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. Trousers is only useful on systems with TPM hardware, additionally local access is required to exploit of this issue. Exploitation of this issue only results in a crash of the tcsd daemon which can be restarted. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 14 Kurt Seifried 2012-12-08 21:29:55 EST
I have confirmed that tcsd listens to 127.0.0.1:30003 by default on Red Hat Enterprise Linux 6. I have also updated the whiteboard and CVSS2 score to reflect this.
Comment 16 Stefan Cornelius 2013-09-17 11:31:45 EDT
Fedora ships patched versions.
Comment 17 Martin Prpic 2014-10-06 03:57:37 EDT
IssueDescription:

A flaw was found in the way tcsd, the daemon that manages Trusted Computing resources, processed incoming TCP packets. A remote attacker could send a specially crafted TCP packet that, when processed by tcsd, could cause the daemon to crash. Note that by default tcsd accepts requests on localhost only.
Comment 18 errata-xmlrpc 2014-10-14 03:11:22 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1507 https://rhn.redhat.com/errata/RHSA-2014-1507.html