Synopsis: Critical: openafs on SL5.x, SL6.x i386/x86_64 Issue date: 2013-07-24 CVE Numbers: CVE-2013-4134 CVE-2013-4135 -- OpenAFS uses Kerberos tickets to secure network traffic. For historical reasons, it has only supported the DES encryption algorithm to encrypt these tickets. The weakness of DES's 56 bit key space has long been known, however it has recently become possible to use that weakness to cheaply (around $100) and rapidly (approximately 23 hours) compromise a service's long term key. An attacker must first obtain a ticket for the cell. They may then use a brute force attack to compromise the cell's private service key. Once an attacker has gained access to the service key, they can use this to impersonate any user within the cell, including the super user, giving them access to all administrative capabilities as well as all user data. Recovering the service key from a DES encrypted ticket is an issue for any Kerberos service still using DES (and especially so for realms which still have DES keys on their ticket granting ticket). (CVE-2013-4134) The -encrypt option to the 'vos' volume management command should cause it to encrypt all data between client and server. However, in versions of OpenAFS later than 1.6.0, it has no effect, and data is transmitted with integrity protection only. In all versions of OpenAFS, vos -encrypt has no effect when combined with the -localauth option. (CVE-2013-4135) -- SL5 x86_64 kernel-module-openafs-2.6.18-308.20.1.el5-1.4.15-83.sl5.x86_64.rpm kernel-module-openafs-2.6.18-308.20.1.el5xen-1.4.15-83.sl5.x86_64.rpm kernel-module-openafs-2.6.18-348.12.1.el5-1.4.14-82.sl5.x86_64.rpm kernel-module-openafs-2.6.18-348.12.1.el5-1.4.15-83.sl5.x86_64.rpm kernel-module-openafs-2.6.18-348.12.1.el5xen-1.4.14-82.sl5.x86_64.rpm kernel-module-openafs-2.6.18-348.12.1.el5xen-1.4.15-83.sl5.x86_64.rpm kernel-module-openafs-2.6.18-348.6.1.el5-1.4.14-82.sl5.x86_64.rpm kernel-module-openafs-2.6.18-348.6.1.el5-1.4.15-83.sl5.x86_64.rpm kernel-module-openafs-2.6.18-348.6.1.el5xen-1.4.14-82.sl5.x86_64.rpm kernel-module-openafs-2.6.18-348.6.1.el5xen-1.4.15-83.sl5.x86_64.rpm openafs-1.4.15-83.sl5.x86_64.rpm openafs-authlibs-1.4.15-83.sl5.x86_64.rpm openafs-authlibs-devel-1.4.15-83.sl5.x86_64.rpm openafs-client-1.4.15-83.sl5.x86_64.rpm openafs-compat-1.4.15-83.sl5.x86_64.rpm openafs-debug-1.4.15-83.sl5.x86_64.rpm openafs-devel-1.4.15-83.sl5.x86_64.rpm openafs-kernel-source-1.4.15-83.sl5.x86_64.rpm openafs-kpasswd-1.4.15-83.sl5.x86_64.rpm openafs-krb5-1.4.15-83.sl5.x86_64.rpm openafs-server-1.4.15-83.sl5.x86_64.rpm i386 kernel-module-openafs-2.6.18-308.20.1.el5-1.4.15-83.sl5.i686.rpm kernel-module-openafs-2.6.18-308.20.1.el5PAE-1.4.15-83.sl5.i686.rpm kernel-module-openafs-2.6.18-308.20.1.el5xen-1.4.15-83.sl5.i686.rpm kernel-module-openafs-2.6.18-348.12.1.el5-1.4.14-82.sl5.i686.rpm kernel-module-openafs-2.6.18-348.12.1.el5-1.4.15-83.sl5.i686.rpm kernel-module-openafs-2.6.18-348.12.1.el5PAE-1.4.14-82.sl5.i686.rpm kernel-module-openafs-2.6.18-348.12.1.el5PAE-1.4.15-83.sl5.i686.rpm kernel-module-openafs-2.6.18-348.12.1.el5xen-1.4.14-82.sl5.i686.rpm kernel-module-openafs-2.6.18-348.12.1.el5xen-1.4.15-83.sl5.i686.rpm kernel-module-openafs-2.6.18-348.6.1.el5-1.4.14-82.sl5.i686.rpm kernel-module-openafs-2.6.18-348.6.1.el5-1.4.15-83.sl5.i686.rpm kernel-module-openafs-2.6.18-348.6.1.el5PAE-1.4.14-82.sl5.i686.rpm kernel-module-openafs-2.6.18-348.6.1.el5PAE-1.4.15-83.sl5.i686.rpm kernel-module-openafs-2.6.18-348.6.1.el5xen-1.4.14-82.sl5.i686.rpm kernel-module-openafs-2.6.18-348.6.1.el5xen-1.4.15-83.sl5.i686.rpm openafs-1.4.15-83.sl5.i386.rpm openafs-authlibs-1.4.15-83.sl5.i386.rpm openafs-authlibs-devel-1.4.15-83.sl5.i386.rpm openafs-client-1.4.15-83.sl5.i386.rpm openafs-compat-1.4.15-83.sl5.i386.rpm openafs-debug-1.4.15-83.sl5.i386.rpm openafs-devel-1.4.15-83.sl5.i386.rpm openafs-kernel-source-1.4.15-83.sl5.i386.rpm openafs-kpasswd-1.4.15-83.sl5.i386.rpm openafs-krb5-1.4.15-83.sl5.i386.rpm openafs-server-1.4.15-83.sl5.i386.rpm srpm openafs-1.4.15-83.sl5.src.rpm SL6 x86_64 kmod-openafs-358-1.6.5-145.sl6.358.x86_64.rpm openafs-1.6.5-145.sl6.x86_64.rpm openafs-authlibs-1.6.5-145.sl6.x86_64.rpm openafs-authlibs-devel-1.6.5-145.sl6.x86_64.rpm openafs-client-1.6.5-145.sl6.x86_64.rpm openafs-compat-1.6.5-145.sl6.x86_64.rpm openafs-devel-1.6.5-145.sl6.x86_64.rpm openafs-kernel-source-1.6.5-145.sl6.x86_64.rpm openafs-kpasswd-1.6.5-145.sl6.x86_64.rpm openafs-krb5-1.6.5-145.sl6.x86_64.rpm openafs-module-tools-1.6.5-145.sl6.x86_64.rpm openafs-plumbing-tools-1.6.5-145.sl6.x86_64.rpm openafs-server-1.6.5-145.sl6.x86_64.rpm i386 kmod-openafs-358-1.6.5-145.sl6.358.i686.rpm openafs-1.6.5-145.sl6.i686.rpm openafs-authlibs-1.6.5-145.sl6.i686.rpm openafs-authlibs-devel-1.6.5-145.sl6.i686.rpm openafs-client-1.6.5-145.sl6.i686.rpm openafs-compat-1.6.5-145.sl6.i686.rpm openafs-devel-1.6.5-145.sl6.i686.rpm openafs-kernel-source-1.6.5-145.sl6.i686.rpm openafs-kpasswd-1.6.5-145.sl6.i686.rpm openafs-krb5-1.6.5-145.sl6.i686.rpm openafs-module-tools-1.6.5-145.sl6.i686.rpm openafs-plumbing-tools-1.6.5-145.sl6.i686.rpm openafs-server-1.6.5-145.sl6.i686.rpm srpm openafs-1.6.5-145.sl6.src.rpm - Scientific Linux Development Team