Bugzilla – Bug 363151
VUL-0: CVE-1999-0003: krb5: multiple vulnerabilities - draft MITKRB5-SA-2008-002
Last modified: 2021-01-01 10:35:30 UTC
Hi. There is a security bug in 'krb5'. This bug is NOT PUBLIC. The coordinated release date (CRD) is: Tuesday, 18 March 2008, at 14:00 US/Eastern time More information can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-YYYY-NNNN CVE number: CVE-1999-0003 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0003 Original posting: ----- Forwarded message from raeburn@MIT.EDU ----- Date: Tue, 19 Feb 2008 20:39:08 -0500 (EST) From: raeburn@MIT.EDU To: security@suse.de Cc: krbcore-security@MIT.EDU Subject: [security@suse.de] confidential - draft MITKRB5-SA-2008-002 [CVE number pending] Reply-To: krbcore-security@MIT.EDU Errors-To: security-bounces+thomas=suse.de@suse.de Subject: confidential - draft MITKRB5-SA-2008-002 [CVE-2008-NNNN] The MIT Kerberos Team is aware of the following vulnerabilities in the MIT krb5 software. Please treat this information as confidential, and do not publicly disseminate it prior to our public disclosure. Also, please do not use un-encrypted communications to discuss this vulnerability. We have drafted MITKRB5-SA-2008-002 describing these vulnerabilities. We plan to publish no sooner than Tuesday, 18 March 2008, at 14:00 US/Eastern time. We plan to notify CERT/CC and vendor-sec@lst.de on 4 March 2008, but only provide them with summary text. Vendors contacted through CERT/CC or vendor-sec will be requested to contact us directly for details. We will post our public disclosure to the kerberos-announce@mit.edu and bugtraq@securityfocus.com mailing lists. Please let us know if you have any concerns about this disclosure timeline. Also, please send us any comments you have concerning the advisory text or the patches. Our preferred security contact PGP key, is available on the keyserver pgp.mit.edu: pub 1024D/2915318C 2008-01-18 [expires: 2009-02-01] uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu> sub 2048g/3A91A276 2008-01-18 [expires: 2009-02-01] As part of our effort to improve our vendor coordination process, please tell us which releases of MIT krb5 you use in your products, as well as which components. ====================================================================== *** CONFIDENTIAL PRERELEASE VULNERABILITY INFORMATION *** DRAFT - DO NOT PUBLISH - DRAFT - DO NOT PUBLISH - DRAFT - DO NOT PUBLISH MITKRB5-SA-2008-002 MIT krb5 Security Advisory 2008-002 Original release: YYYY-MM-DD Last update: YYYY-MM-DD Topic: array overrun in RPC library used by kadmind CVE-YYYY-NNNN VU#NNNNNN Use of high-numbered file descriptors in the RPC library, used by kadmind, can cause references past the end of an array. CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:P/RL:T/RC:C CVSSv2 Base Score: 10 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 7.8 Exploitability: Proof-of-Concept Remediation Level: Official fix Report Confidence: Confirmed SUMMARY ======= A bug in the RPC library server code, used in the kadmin server, causes an array overrun if too many file descriptors are opened. Memory corruption can result. IMPACT ====== An unauthenticated remote attacker can cause memory corruption in the kadmind process, which is likely to cause kadmind to crash, resulting in a denial of service. It is at least theoretically possible for such corruption to result in database corruption or arbitrary code execution, though we have no such exploit and are not aware of any such exploits in use in the wild. This bug can only be triggered in configurations that allow large numbers of open file descriptors in a process. AFFECTED SOFTWARE ================= libgssrpc and kadmind, from krb5-1.4 through krb5-1.6.3 FIXES ===== * Workaround: Check the system header files for the value of FD_SETSIZE. Use "ulimit -n" or "limit descriptors" in the shell invoking kadmind to limit the number of open file descriptors to FD_SETSIZE or less, before starting kadmind. Then the operating system will prevent the use of file descriptors large enough to exploit this bug. * Apply the following patch: === src/lib/rpc/svc.c ================================================================== --- src/lib/rpc/svc.c (revision 1666) +++ src/lib/rpc/svc.c (local) @@ -109,15 +109,17 @@ if (sock < FD_SETSIZE) { xports[sock] = xprt; FD_SET(sock, &svc_fdset); + if (sock > svc_maxfd) + svc_maxfd = sock; } #else if (sock < NOFILE) { xports[sock] = xprt; svc_fds |= (1 << sock); + if (sock > svc_maxfd) + svc_maxfd = sock; } #endif /* def FD_SETSIZE */ - if (sock > svc_maxfd) - svc_maxfd = sock; } /* === src/lib/rpc/svc_tcp.c ================================================================== --- src/lib/rpc/svc_tcp.c (revision 1666) +++ src/lib/rpc/svc_tcp.c (local) @@ -54,6 +54,14 @@ extern errno; */ +#ifndef FD_SETSIZE +#ifdef NBBY +#define NOFILE (sizeof(int) * NBBY) +#else +#define NOFILE (sizeof(int) * 8) +#endif +#endif + /* * Ops vector for TCP/IP based rpc service handle */ @@ -215,6 +223,19 @@ register SVCXPRT *xprt; register struct tcp_conn *cd; +#ifdef FD_SETSIZE + if (fd >= FD_SETSIZE) { + (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); + xprt = NULL; + goto done; + } +#else + if (fd >= NOFILE) { + (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); + xprt = NULL; + goto done; + } +#endif xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT)); if (xprt == (SVCXPRT *)NULL) { (void) fprintf(stderr, "svc_tcp: makefd_xprt: out of memory\n"); @@ -271,6 +292,10 @@ * make a new transporter (re-uses xprt) */ xprt = makefd_xprt(sock, r->sendsize, r->recvsize); + if (xprt == NULL) { + close(sock); + return (FALSE); + } xprt->xp_raddr = addr; xprt->xp_addrlen = len; xprt->xp_laddr = laddr; This patch will result in too-high-numbered file descriptors being immediately closed after the connection comes in. Clients will see connections established, and then closed; a "GSS-API (or Kerberos) error while initializing kadmin interface" will eventually result. Once some of the lower-numbered file descriptors are closed, clients will be able to get useful connections again. * The next release from MIT (1.6.4) will include a fix. REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-YYYY-NNNN http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-YYYY-NNNN CERT: VU#NNNNNN http://www.kb.cert.org/vuls/id/NNNNNN ACKNOWLEDGMENTS =============== Thanks to Jeff Altman of Secure Endpoints for discovering and reporting this problem. CONTACT ======= The MIT Kerberos Team security contact address is <krbcore-security@mit.edu>. When sending sensitive information, please PGP-encrypt it using the following key: pub 1024D/2915318C 2008-01-18 [expires: 2009-02-01] uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu> sub 2048g/3A91A276 2008-01-18 [expires: 2009-02-01] DETAILS ======= The variable svc_maxfd tracks the highest-numbered file descriptor registered with the RPC library as a transport handle. While the registration function does check that the file descriptor number is less than FD_SETSIZE for array references, the code for updating svc_maxfd is not so protected. Elsewhere, svc_maxfd is used as an upper bound for array indexing, and as the maximum file descriptor number to pass to select(). REVISION HISTORY ================ YYYY-MM-DD original release Copyright (C) 2008 Massachusetts Institute of Technology ----- End forwarded message ----- -- Bye, Thomas -- Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- Hamming's Motto: The purpose of computing is insight, not numbers. -- Richard W. Hamming
The CVE-ID is - of course - wrong.
CVE: CVE-2008-0947 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0947 CVE: CVE-2008-0948 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0948
MaintenanceTracker-16535
Fixed package submitted to: * 10.1/SLES10 * SLES10-SP2 * 10.2 * 10.3 This fix(combined with Bug #361373) affects two packages: krb5 and krb5-server (STABLE will follow after official release date)
(In reply to comment #2 from Thomas Biege) > CVE: CVE-2008-0947 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0947 > > CVE: CVE-2008-0948 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0948 > Hm, two CVE-IDs and one bug... I need to clarify this.
Ok. CVE-2008-0947, CVE-2008-0948 VU#NNNNNN Use of high-numbered file descriptors in the RPC library, used by kadmind, can cause references past the end of an array. --- CVE-2008-0947: libgssrpc and kadmind, from krb5-1.4 through krb5-1.6.3 CVE-2008-0948: libgssrpc and kadmind, in krb5-1.2.2 and probably most other versions before 1.3, on systems where <unistd.h> does not define FD_SETSIZE. ---
Michael/Ludwig, could you create a testcase for SLE10 that demonstrates the defect within a reasonable amount of time ?
I think thebug is hard to trigger and we should/need to trust in the MIT patch here. No testcase.
Submitted to STABLE. Add a .note file to not checkin before official release time. reassign to reporter for tracking.
packages released
CVE-2008-0948: CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)