[linux-cifs-client] just what is the impact of the ASN.1
vulnerability? (CVE-2008-1673)
Jeff Layton
jlayton at redhat.com
Wed Jun 11 11:51:33 GMT 2008
On Wed, 11 Jun 2008 16:34:55 +1200
Jason Haar <Jason.Haar at trimble.co.nz> wrote:
> According to SANS, we all have to upgrade to 2.6.25.5 due to a bug in
> the Linux kernel ASN parser as it impacts the cifs module.
>
> However, wouldn't it really only be an issue if you were prone to
> connect to random strangers via CIFS? i.e. in a corporate environment,
> where you are using CIFS to mount other corporate Windows servers, just
> how much of a risk is it really? I mean - this only affects "mount.cifs"
> - not Samba - right?
>
> References:
>
> http://isc.sans.org/diary.php?storyid=4555&rss
> http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.5
>
It affects the kernel CIFS code. If you can guarantee that all of the
servers you're talking to are well-behaved then I think you would probably
be safe. You may also be able to avoid this by making sure that you
don't have KRB5 negotiation enabled, but I haven't actually tested that yet
to make sure that it's a proper workaround.
--
Jeff Layton <jlayton at redhat.com>
More information about the linux-cifs-client
mailing list