[Secure-testing-team] Bug#551907: mandos-client adds unnecessary files to initrd

C. Dominik Bodi dominik.bodi at gmx.de
Wed Oct 21 17:12:38 UTC 2009 

Package: mandos-client
Version: 1.0.12-1
Severity: critical
Tags: security
Justification: root security hole

The update-initramfs hook script for mandos client adds several files
into the initrd that are not necessary for its operation. One of the
files being added causes a severe security risk for other mandos
client in case the client acts as a mandos server, as well.

The superfluous files can be found in
initrd_root/etc/conf/conf.d/mandos/

First of all, backup files created by various text editors, for
instance emacsen's "filename~" (notice the tilde) files, are added 
to the initrd.

More importantly, if the mandos server package is installed on the
same computer, the /etc/mandos/mandos.conf and
/etc/mandos/clients.conf will be added to the initrd, as well.

The latter contains the fingerprints of other mandos clients.
If the initrd file was compromised, it would be very easy to to set
up a rogue mandos server in order to snoop the other client's disk 
encryption passwords.

Regards,
Dominik Bodi

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31.4-via-1
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mandos-client depends on:
ii  adduser                    3.111         add and remove users and groups
ii  cryptsetup                 2:1.1.0~rc2-1 configures encrypted block devices
ii  libavahi-common3           0.6.25-1      Avahi common library
ii  libavahi-core6             0.6.25-1      Avahi's embeddable mDNS/DNS-SD lib
ii  libc6                      2.10.1-1      GNU C Library: Shared libraries
ii  libgnutls26                2.8.4-1       the GNU TLS library - runtime libr
ii  libgpg-error0              1.6-1         library for common error values an
ii  libgpgme11                 1.2.0-1       GPGME - GnuPG Made Easy

mandos-client recommends no packages.

mandos-client suggests no packages.

-- no debconf information

More information about the Secure-testing-team mailing list