Multiple vulnerabilities in OpenAFS
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2013-1795 CVE-2013-1794 |
| CWE-ID | CWE-122 CWE-119 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
OpenAFS Server applications / Other server solutions |
| Vendor | OpenAFS.org |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Heap-based buffer overflow
EUVDB-ID: #VU43003
Risk: Medium
CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:U/RC:C]
CVE-ID: CVE-2013-1795
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Integer overflow in ptserver in OpenAFS before 1.6.2. A remote attacker can use a large list from the IdToName RPC to trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsOpenAFS: 1.5.10 - 1.6.0
CPE2.3- cpe:2.3:a:openafs_org:openafs:1.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:openafs_org:openafs:1.5.11:*:*:*:*:*:*:*
- cpe:2.3:a:openafs_org:openafs:1.5.12:*:*:*:*:*:*:*
http://secunia.com/advisories/52342
http://secunia.com/advisories/52480
http://www.debian.org/security/2013/dsa-2638
http://www.mandriva.com/security/advisories?name=MDVSA-2014:244
http://www.openafs.org/pages/security/OPENAFS-SA-2013-002.txt
http://www.securityfocus.com/bid/58300
http://exchange.xforce.ibmcloud.com/vulnerabilities/82585
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Buffer overflow
EUVDB-ID: #VU43004
Risk: Low
CVSSv3.1: 3 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2013-1794
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to read and manipulate data.
Buffer overflow in certain client utilities in OpenAFS before 1.6.2 allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a long fileserver ACL entry.
MitigationInstall update from vendor's website.
Vulnerable software versionsOpenAFS: 1.5.10 - 1.6.0
CPE2.3- cpe:2.3:a:openafs_org:openafs:1.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:openafs_org:openafs:1.5.11:*:*:*:*:*:*:*
- cpe:2.3:a:openafs_org:openafs:1.5.12:*:*:*:*:*:*:*
http://secunia.com/advisories/52342
http://secunia.com/advisories/52480
http://www.debian.org/security/2013/dsa-2638
http://www.mandriva.com/security/advisories?name=MDVSA-2014:244
http://www.openafs.org/pages/security/OPENAFS-SA-2013-001.txt
http://www.securityfocus.com/bid/58299
http://exchange.xforce.ibmcloud.com/vulnerabilities/82582
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
