Bug 1051108 - (CVE-2013-7284) CVE-2013-7284 perl-PlRPC: pre-auth remote code execution
CVE-2013-7284 perl-PlRPC: pre-auth remote code execution
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20131114,repor...
: Security
Depends On: 1030572 1051110 1103127
Blocks: 1051112
  Show dependency treegraph
 
Reported: 2014-01-09 12:28 EST by Ratul Gupta
Modified: 2014-06-10 05:35 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-10 05:35:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ratul Gupta 2014-01-09 12:28:57 EST
PlRPC is a Perl module that implements IDL-free RPCs. It is intended for cross-domain applications, but it fails to achieve that goal because it uses Storable, which is known to be insecure when deserializing (thawing) untrusted data. User name and password are transmitted using Storable, so code execution can happen before authentication.

The patches that exist just document the issues and are not real fixes.

References:
http://seclists.org/oss-sec/2014/q1/56
https://rt.cpan.org/Public/Bug/Display.html?id=90474

Commit/Patch:
http://pkgs.fedoraproject.org/cgit/perl-PlRPC.git/commit/?id=b9497b8d780a54ff5be6661c5f24d70135e0bb79
Comment 1 Ratul Gupta 2014-01-09 12:32:38 EST
Created perl-PlRPC tracking bugs for this issue:

Affects: fedora-all [bug 1051110]
Comment 2 Vincent Danen 2014-01-09 17:01:40 EST
The actual proposed patch to upstream is here:

* https://rt.cpan.org/Public/Ticket/Attachment/1293961/685696/0001-Security-notice-on-Storable-and-reply-attack.patch

Based on the discussion in bug #1030572, there is no real "fix" for this as it seems that Storable deserialization is exposed prior to password-based authentication (see how AcceptUser is called in the server code).

MITRE assigned CVE-2013-7284 to this issue.
Comment 3 Petr Pisar 2014-01-10 03:54:08 EST
(In reply to Vincent Danen from comment #2)
> The actual proposed patch to upstream is here:
> 
> *
> https://rt.cpan.org/Public/Ticket/Attachment/1293961/685696/0001-Security-
> notice-on-Storable-and-reply-attack.patch
> 
> Based on the discussion in bug #1030572, there is no real "fix" for this as
> it seems that Storable deserialization is exposed prior to password-based
> authentication (see how AcceptUser is called in the server code).
> 
> MITRE assigned CVE-2013-7284 to this issue.

Is amending the PlRPC documentation with this patch sufficient to close this bug, or should we keep this open until a real fix in the code (extension of Storable module and utilizing it in PlRPC) will be available?
Comment 5 Tomas Hoger 2014-05-30 06:41:54 EDT
Here is Storable documentation that describes security risks of deserializing untrusted inputs using Storable:
http://search.cpan.org/~ams/Storable-2.45/Storable.pm#SECURITY_WARNING

The only package shipped in Red Hat Software Collections 1 and Red Hat Enterprise Linux 7 Beta is perl-DBI with DBI::Proxy / DBI::ProxyServer modules.  Those modules are not used by any other package shipped as part of those products.

There is an upstream bug requesting addition of security warnings to DBI documentation:
https://rt.cpan.org/Public/Bug/Display.html?id=90475

It does not seem there's a way to fix without introducing incompatible protocol change by using different way to serialize data for network transfer.  Alternative may be to have Storable provide a safe mode to deserialize untrusted inputs.  That seems to be on the Storable upstream TODO list, but not available in current version.
Comment 6 Tomas Hoger 2014-05-30 06:43:19 EDT
Possible mitigation here is to use host based access restrictions to any service using PlRPC to ensure only trusted hosts/users have access.
Comment 8 Tomas Hoger 2014-05-30 06:55:18 EDT
(In reply to Tomas Hoger from comment #5)
> The only package shipped in Red Hat Software Collections 1 and Red Hat
> Enterprise Linux 7 Beta is perl-DBI with DBI::Proxy / DBI::ProxyServer
> modules.  Those modules are not used by any other package shipped as part of
> those products.

Search through Debian archive (using http://codesearch.debian.net/) also fails to find any user of PlRPC or DBI::Proxy*.  Reducing impact rating based on the fact that this module does not seem to be used by any real world application.
Comment 9 Petr Pisar 2014-05-30 07:20:32 EDT
Without PlRPC modules, DBD::Proxy* modules have to be removed. Without DBD::Proxy* modules, Bundle::DBI module, DBI's t/80proxy.t test and DBI's /usr/bin/dbiproxy tool have to be removed.
Comment 10 Stefan Cornelius 2014-06-10 05:35:22 EDT
Statement:

The Red Hat Security Response Team has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.