{"cve": [{"lastseen": "2018-10-11T11:34:17", "bulletinFamily": "NVD", "description": "The Coda filesystem kernel module, as used in NetBSD and FreeBSD, when Coda is loaded and Venus is running with /coda mounted, allows local users to read sensitive heap memory via a large out_size value in a ViceIoctl struct to a Coda ioctl, which triggers a buffer over-read.", "modified": "2018-10-10T16:00:43", "published": "2010-08-20T16:00:02", "id": "CVE-2010-3014", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3014", "title": "CVE-2010-3014", "type": "cve", "cvss": {"score": 1.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:36", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n VSR Security Advisory\r\n http://www.vsecurity.com/\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nAdvisory Name: Coda Filesystem Kernel Memory Disclosure\r\n Release Date: 2010-08-16\r\n Application: Coda kernel module for NetBSD and FreeBSD\r\n Versions: All known versions\r\n Severity: Medium\r\n Author: Dan Rosenberg < drosenberg (at) vsecurity (dot) com >\r\nVendor Status: Patch Released [2][3]\r\nCVE Candidate: CVE-2010-3014\r\n Reference: http://www.vsecurity.com/resources/advisory/20100816-1/\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\n\r\nProduct Description\r\n- -------------------\r\n- From [1]:\r\n\r\n "Coda is a distributed filesystem with its origin in AFS2. It has many\r\n features that are very desirable for network filesystems. Currently, Coda has\r\n several features not found elsewhere.\r\n\r\n 1. disconnected operation for mobile computing\r\n 2. is freely available under a liberal license\r\n 3. high performance through client side persistent caching\r\n 4. server replication\r\n 5. security model for authentication, encryption and access control\r\n 6. continued operation during partial network failures in server network\r\n 7. network bandwidth adaptation\r\n 8. good scalability\r\n 9. well defined semantics of sharing, even in the presence of nework failure"\r\n\r\n\r\nVulnerability Overview\r\n- ----------------------\r\nOn July 19th, VSR identified a vulnerability in the Coda filesystem kernel\r\nmodule, as implemented for FreeBSD and NetBSD. By sending a specially crafted\r\nioctl request to a mounted Coda filesystem, an unprivileged local user could\r\nread large portions of kernel heap memory, leading to the disclosure of\r\npotentially sensitive information.\r\n\r\n\r\nProduct Background\r\n- ------------------\r\nCoda is implemented as a kernel filesystem module with userland components.\r\nSystem calls involving file I/O are passed to the Coda kernel module, which in\r\nturn passes the request to the userland Venus cache manager via a character\r\ndevice. Venus answers the request by checking its cache or requesting content\r\nfrom the Coda server. Coda implements most standard filesystem operations,\r\nincluding providing an ioctl interface. \r\n\r\n\r\nVulnerability Details\r\n- ---------------------\r\nCoda ioctls are passed through the Coda filesystem module before being sent to\r\nVenus. The arguments to a Coda ioctl are encapsulated in a PioctlData struct,\r\nwhich in turn contains a ViceIoctl struct. The ViceIoctl struct contains\r\n"in_size" and "out_size" fields, dictating the expected size of the input and\r\noutput data corresponding to a particular ioctl request. The "in_size" field\r\nis validated to prevent memory corruption via copying an unexpected amount of\r\ndata from userspace into a kernel buffer. \r\n\r\nHowever, the "out_size" field was missing this validation. When copying the\r\noutput data of an ioctl request back to userspace, the "out_size" field was\r\nused to determine the amount of data to copy, without restricting it to a\r\nmaximum possible size. By specifying a large value for this field, the\r\ncontents of the kernel heap beyond the data intended to be returned to the user\r\nwould be copied into a userland buffer. An unprivileged user could exploit\r\nthis to read large portions of the kernel heap, potentially disclosing\r\nsensitive information.\r\n\r\n\r\nVersions Affected\r\n- -----------------\r\nThis vulnerability affects all known versions of the Coda filesystem module as\r\nincluded in FreeBSD and NetBSD. The Linux Coda module is not affected.\r\n\r\n\r\nVendor Response\r\n- ---------------\r\nThe following timeline details FreeBSD's and NetBSD's response to the reported\r\nissue:\r\n\r\n2010-07-19 Vulnerability reported to FreeBSD and NetBSD\r\n2010-07-20 Fix committed by NetBSD [2]\r\n2010-07-21 Response from FreeBSD\r\n2010-07-21 FreeBSD and NetBSD provided a draft advisory\r\n2010-08-05 Fix committed by FreeBSD [3]\r\n2010-08-16 Coordinated disclosure\r\n\r\n\r\nRecommendation\r\n- --------------\r\n\r\nCoda users should apply the updates committed by NetBSD [2] and FreeBSD[3].\r\n\r\n\r\nCommon Vulnerabilities and Exposures (CVE) Information\r\n- ------------------------------------------------------\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nthe number CVE-2010-3014 to this issue. This is a candidates for\r\ninclusion in the CVE list (http://cve.mitre.org), which standardizes\r\nnames for security problems.\r\n\r\n\r\nAcknowledgements\r\n- ----------------\r\nThanks to the FreeBSD and NetBSD security teams for their prompt responses.\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nReferences:\r\n\r\n1. Coda File System\r\n http://www.coda.cs.cmu.edu\r\n\r\n2. Coda module in NetBSD CVS\r\n http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/coda/?only_with_tag=MAIN\r\n\r\n3. FreeBSD SVN revision 210997\r\n http://svn.freebsd.org/viewvc/base?view=revision&revision=210997\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nThis advisory is distributed for educational purposes only with the sincere\r\nhope that it will help promote public safety. This advisory comes with\r\nabsolutely NO WARRANTY; not even the implied warranty of merchantability or\r\nfitness for a particular purpose. Virtual Security Research, LLC nor the author\r\naccepts any liability for any direct, indirect, or consequential loss or damage\r\narising from use of, or reliance on, this information.\r\n\r\nSee the VSR disclosure policy for more information on our responsible\r\ndisclosure practices: http://www.vsecurity.com/company/disclosure\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n Copyright 2010 Virtual Security Research, LLC. All rights reserved.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niEYEARECAAYFAkxpiYQACgkQQ1RSUNR+T+hfGwCfaRQXT13u2A/Yi+gEA4nYmKJY\r\nE54An3z9sEKrVhVmXOxG4f0+b4dApu7e\r\n=RjUw\r\n-----END PGP SIGNATURE-----\r\n", "modified": "2010-08-19T00:00:00", "published": "2010-08-19T00:00:00", "id": "SECURITYVULNS:DOC:24549", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24549", "title": "CVE-2010-3014: Coda Filesystem Kernel Memory Disclosure", "type": "securityvulns", "cvss": {"score": 1.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}
