Bug 858243 (CVE-2013-7284) - VUL-1: CVE-2013-7284: perl-PlRPC: pre-auth remote code execution, weak crypto
Summary: VUL-1: CVE-2013-7284: perl-PlRPC: pre-auth remote code execution, weak crypto
Status: RESOLVED FIXED
Alias: CVE-2013-7284
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/95205/
Whiteboard: CVSSv2:NVD:CVE-2013-7284:6.8:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-10 11:47 UTC by Alexander Bergmann
Modified: 2024-04-23 13:14 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-01-10 11:47:52 UTC 
OSS:11837

PlRPC is a Perl module that implements IDL-free RPCs.  It is intended 
for cross-domain applications, but it fails to achieve that goal because 
it uses Storable, which is known to be insecure when deserializing 
(thawing) untrusted data.  User name and password are transmitted using 
Storable, so code execution can happen before authentication.

The cryptographic hook built into PlRPC is limited: there is no MAC, no 
reply protection, and there's just a symmetric group key shared by all 
users.  It's not really PlRPC's fault, considering its age.

https://rt.cpan.org/Public/Bug/Display.html?id=90474
https://bugzilla.redhat.com/show_bug.cgi?id=1030572

PlRPC mainly lives on because it is a dependency of DBD::Proxy, which is 
carried around by the DBI module.

This might warrant two CVE assignments (one for the Storable-based code 
execution), and one for the weak crypto.  This was first reported in 
2013.  The patches that exist just document the issues and are not real 
fixes (for Storable itself, there is only a documentation fix, so this 
has precedent).

CVE-2013-7284 was assigned for the code-execution issue. 

The weak crypto issue is depending on a possible upstream response.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7284
http://comments.gmane.org/gmane.comp.security.oss.general/11837
https://bugzilla.redhat.com/show_bug.cgi?id=1030572
https://bugzilla.redhat.com/show_bug.cgi?id=1051108
Comment 1 Swamp Workflow Management 2014-01-13 23:00:09 UTC 
bugbot adjusting priority
Comment 2 Vítězslav Čížek 2014-05-16 12:03:28 UTC 
Still no upstream fix.
The latest release was issued in 2007,
so it may take "some" time.
Comment 3 Johannes Segitz 2015-04-01 14:31:06 UTC 
The "fixed" it by documenting the behaviour. We will treat it as VUL-1 for now
Comment 4 Vítězslav Čížek 2015-08-05 15:23:07 UTC 
No upstream activity since 2007.

Red Hat closed this as WONTFIX:
https://bugzilla.redhat.com/show_bug.cgi?id=1051108

Debian dropped the package:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745477
Comment 6 Tomáš Chvátal 2016-09-26 09:22:24 UTC 
I guess we should drop this from factory, it really is dead for 9 years now.
Comment 7 Vítězslav Čížek 2016-09-27 08:37:16 UTC 
Drop request has been issued: https://build.opensuse.org/request/show/430518
Comment 8 Marcus Meissner 2016-09-28 07:15:41 UTC 
whats the needinfo.

droprequest is fine by us for unmaintained packages.
Comment 13 Swamp Workflow Management 2020-08-14 13:13:51 UTC 
SUSE-SU-2020:2238-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 858243
CVE References: CVE-2013-7284
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    perl-PlRPC-0.2020-25.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.