Bug 781648 (CVE-2012-0698) - CVE-2012-0698 trousers: DoS vulnerability in tcsd
Summary: CVE-2012-0698 trousers: DoS vulnerability in tcsd
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-0698
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 781637 (view as bug list)
Depends On: 781666 781667 781668 781669 781670
Blocks: 781650 1101912
TreeView+ depends on / blocked
 
Reported: 2012-01-14 01:51 UTC by Kurt Seifried
Modified: 2019-09-29 12:49 UTC (History)
7 users (show)

Fixed In Version: trousers 0.3.9
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way tcsd, the daemon that manages Trusted Computing resources, processed incoming TCP packets. A remote attacker could send a specially crafted TCP packet that, when processed by tcsd, could cause the daemon to crash. Note that by default tcsd accepts requests on localhost only.
Clone Of:
Environment:
Last Closed: 2016-04-07 11:21:11 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1507 normal SHIPPED_LIVE Low: trousers security, bug fix, and enhancement update 2014-10-14 01:22:32 UTC

Description Kurt Seifried 2012-01-14 01:51:51 UTC
From Andy Lutomirski

The attached Python script will segfault tcsd.

This particular vulnerability is a read from an attacker-controlled address, so
getting anything more severe than information disclosure out of it may be
difficult.  But there is a lot of fishy input validation, and it may be
possible to persuade the code to write out of bounds as well.  It is certainly
possible to cause memory allocation failures, but I haven't seen one that's
unchecked yet.

Upstream report (currently private) here:
https://sourceforge.net/tracker/?func=detail&atid=704358&aid=3473554&group_id=126012

Comment 1 Kurt Seifried 2012-01-14 01:53:25 UTC
*** Bug 781637 has been marked as a duplicate of this bug. ***

Comment 3 Andy Lutomirski 2012-01-14 03:12:11 UTC
This is CVE-2012-0698.

Comment 4 Kurt Seifried 2012-01-14 05:49:02 UTC
Confirmed on Fedora 16/Lenovo laptop with trousers-0.3.6-1.fc16, tscd crashed
immediately with "Segmentation fault" (did it three times, pretty much the same
each time):

Jan 13 22:31:16 kseifrie kernel: [  405.257750] tcsd[2144]: segfault at
7f719c0008c0 ip 0000000000000f3e sp 00007f7120dd3d70 error 4 in
tcsd[400000+44000]

Jan 13 22:33:47 kseifrie kernel: [  556.162493] tcsd[2168]: segfault at
7f19240008c0 ip 0000000000000f3e sp 00007f18abfead70 error 4 in
tcsd[400000+44000]

Jan 13 22:34:40 kseifrie kernel: [  608.781464] tcsd[2195]: segfault at
7f81c40008c0 ip 0000000000000f3e sp 00007f814bef9d70 error 4 in
tcsd[400000+44000]

Comment 5 Kurt Seifried 2012-01-14 05:52:54 UTC
Created trousers tracking bugs for this issue

Affects: fedora-all [bug 781666]

Comment 9 Tomas Hoger 2012-01-16 11:07:15 UTC
(In reply to comment #3)
> This is CVE-2012-0698.

Andy, who assigned that CVE?  Was it requested from Mitre or does it come from some other naming authority pool?

Comment 10 Andy Lutomirski 2012-01-16 18:19:00 UTC
It was assigned by Mitre.

Comment 11 Murray McAllister 2012-01-17 03:43:28 UTC
Acknowledgements:

Red Hat would like to thank Andrew Lutomirski for reporting this issue.

Comment 12 Andy Lutomirski 2012-04-24 04:24:32 UTC
There's a hard-to-find, somewhat unconvincing fix upstream.  It's here:

http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commit;h=ae0c2f8c1fd7a96ba0191f83b6057f8cbc51e786

The upstream report is now public, at https://sourceforge.net/tracker/index.php?func=detail&aid=3473554&group_id=126012&atid=704358

Feel free to mark this issue public as well.

Comment 13 Kurt Seifried 2012-11-16 04:37:29 UTC
Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. Trousers is only useful on systems with TPM hardware, additionally local access is required to exploit of this issue. Exploitation of this issue only results in a crash of the tcsd daemon which can be restarted. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 14 Kurt Seifried 2012-12-09 02:29:55 UTC
I have confirmed that tcsd listens to 127.0.0.1:30003 by default on Red Hat Enterprise Linux 6. I have also updated the whiteboard and CVSS2 score to reflect this.

Comment 16 Stefan Cornelius 2013-09-17 15:31:45 UTC
Fedora ships patched versions.

Comment 17 Martin Prpič 2014-10-06 07:57:37 UTC
IssueDescription:

A flaw was found in the way tcsd, the daemon that manages Trusted Computing resources, processed incoming TCP packets. A remote attacker could send a specially crafted TCP packet that, when processed by tcsd, could cause the daemon to crash. Note that by default tcsd accepts requests on localhost only.

Comment 18 errata-xmlrpc 2014-10-14 07:11:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1507 https://rhn.redhat.com/errata/RHSA-2014-1507.html


Note You need to log in before you can comment on or make changes to this bug.