From Andy Lutomirski The attached Python script will segfault tcsd. This particular vulnerability is a read from an attacker-controlled address, so getting anything more severe than information disclosure out of it may be difficult. But there is a lot of fishy input validation, and it may be possible to persuade the code to write out of bounds as well. It is certainly possible to cause memory allocation failures, but I haven't seen one that's unchecked yet. Upstream report (currently private) here: https://sourceforge.net/tracker/?func=detail&atid=704358&aid=3473554&group_id=126012
*** Bug 781637 has been marked as a duplicate of this bug. ***
This is CVE-2012-0698.
Confirmed on Fedora 16/Lenovo laptop with trousers-0.3.6-1.fc16, tscd crashed immediately with "Segmentation fault" (did it three times, pretty much the same each time): Jan 13 22:31:16 kseifrie kernel: [ 405.257750] tcsd[2144]: segfault at 7f719c0008c0 ip 0000000000000f3e sp 00007f7120dd3d70 error 4 in tcsd[400000+44000] Jan 13 22:33:47 kseifrie kernel: [ 556.162493] tcsd[2168]: segfault at 7f19240008c0 ip 0000000000000f3e sp 00007f18abfead70 error 4 in tcsd[400000+44000] Jan 13 22:34:40 kseifrie kernel: [ 608.781464] tcsd[2195]: segfault at 7f81c40008c0 ip 0000000000000f3e sp 00007f814bef9d70 error 4 in tcsd[400000+44000]
Created trousers tracking bugs for this issue Affects: fedora-all [bug 781666]
(In reply to comment #3) > This is CVE-2012-0698. Andy, who assigned that CVE? Was it requested from Mitre or does it come from some other naming authority pool?
It was assigned by Mitre.
Acknowledgements: Red Hat would like to thank Andrew Lutomirski for reporting this issue.
There's a hard-to-find, somewhat unconvincing fix upstream. It's here: http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commit;h=ae0c2f8c1fd7a96ba0191f83b6057f8cbc51e786 The upstream report is now public, at https://sourceforge.net/tracker/index.php?func=detail&aid=3473554&group_id=126012&atid=704358 Feel free to mark this issue public as well.
Statement: The Red Hat Security Response Team has rated this issue as having low security impact. Trousers is only useful on systems with TPM hardware, additionally local access is required to exploit of this issue. Exploitation of this issue only results in a crash of the tcsd daemon which can be restarted. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
I have confirmed that tcsd listens to 127.0.0.1:30003 by default on Red Hat Enterprise Linux 6. I have also updated the whiteboard and CVSS2 score to reflect this.
Fedora ships patched versions.
IssueDescription: A flaw was found in the way tcsd, the daemon that manages Trusted Computing resources, processed incoming TCP packets. A remote attacker could send a specially crafted TCP packet that, when processed by tcsd, could cause the daemon to crash. Note that by default tcsd accepts requests on localhost only.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1507 https://rhn.redhat.com/errata/RHSA-2014-1507.html