Bugzilla – Bug 912002
VUL-0: CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423: krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token
Last modified: 2018-10-19 18:32:01 UTC
MITKRB5-SA-2015-001 MIT krb5 Security Advisory 2015-001 Original release: 2015-02-03 Last update: 2015-02-03 Topic: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token CVE-2014-5352: gss_process_context_token() incorrectly frees context CVSSv2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 9.0 Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 7.0 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed CVE-2014-9421: kadmind doubly frees partial deserialization results CVSSv2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 9.0 CVSSv2 Temporal Score: 7.0 CVE-2014-9422: kadmind incorrectly validates server principal name CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:P/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 6.1 CVSSv2 Temporal Score: 4.8 CVE-2014-9423: libgssrpc server applications leak uninitialized bytes CVSSv2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C CVSSv2 Base Score: 5.0 CVSSv2 Temporal Score: 4.4 SUMMARY ======= The MIT krb5 team has discovered four vulnerabilities affecting kadmind. Some of these vulnerabilities may also affect server applications which use the gssrpc library or the gss_process_context_token() function. These are implementation vulnerabilities, not vulnerabilities in the Kerberos protocol. CVE-2014-5352: In the MIT krb5 libgssapi_krb5 library, after gss_process_context_token() is used to process a valid context deletion token, the caller is left with a security context handle containing a dangling pointer. Further uses of this handle will result in use-after-free and double-free memory access violations. libgssrpc server applications such as kadmind are vulnerable as they can be instructed to call gss_process_context_token(). CVE-2014-9421: If the MIT krb5 kadmind daemon receives invalid XDR data from an authenticated user, it may perform use-after-free and double-free memory access violations while cleaning up the partial deserialization results. Other libgssrpc server applications may also be vulnerable if they contain insufficiently defensive XDR functions. CVE-2014-9422: The MIT krb5 kadmind daemon incorrectly accepts authentications to two-component server principals whose first component is a left substring of "kadmin" or whose realm is a left prefix of the default realm. CVE-2014-9423: libgssrpc applications including kadmind output four or eight bytes of uninitialized memory to the network as part of an unused "handle" field in replies to clients. IMPACT ====== CVE-2014-5352: An authenticated attacker could cause a vulnerable application (including kadmind) to crash or to execute arbitrary code. Exploiting a double-free event to execute arbitrary code is believed to be difficult. CVE-2014-9421: An authenticated attacker could cause kadmind or other vulnerable server application to crash or to execute arbitrary code. Exploiting a double-free event to execute arbitrary code is believed to be difficult. CVE-2014-9422: An attacker who possess the key of a particularly named principal (such as "kad/root") could impersonate any user to kadmind and perform administrative actions as that user. CVE-2014-9423: An attacker could attempt to glean sensitive information from the four or eight bytes of uninitialized data output by kadmind or other libgssrpc server application. Because MIT krb5 generally sanitizes memory containing krb5 keys before freeing it, it is unlikely that kadmind would leak Kerberos key information, but it is not impossible. AFFECTED SOFTWARE ================= CVE-2014-5352: kadmind in all released versions of MIT krb5 is vulnerable. Third-party server applications using libgssrpc from all releases of MIT krb5 are vulnerable if they enable the AUTH_GSSAPI authentication flavor. Third-party client and server applications using GSS-API libraries from all releases of MIT krb5 are vulnerable if they directly call gss_process_context_token(). Such applications are believed to be rare. Releases krb5-1.9 and prior may be less vulnerable due to pointer validation code within the krb5 GSS-API mechanism; applications using those releases may instead only experience a memory leak. CVE-2014-9421: kadmind is vulnerable in all released versions of MIT krb5. Third-party server applications using libgssrpc are vulnerable if they enable the AUTH_GSSAPI authentication flavor and contain insufficiently defensive XDR functions. CVE-2014-9422: kadmind is vulnerable in all released versions of MIT krb5. CVE-2014-9423: Server software (including third-party applications) using libgssrpc from release krb5-1.11 and later are vulnerable. FIXES ===== * Upcoming releases in the krb5-1.11, krb5-1.12, and krb5-1.13 series will contain fixes for these issues. * The patch for krb5-1.13.x is available at http://web.mit.edu/kerberos/advisories/2015-001-patch-r113.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2015-001-patch-r113.txt.asc * The patch for krb5-1.12.x is available at http://web.mit.edu/kerberos/advisories/2015-001-patch-r112.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2015-001-patch-r112.txt.asc * The patch for krb5-1.11.x is available at http://web.mit.edu/kerberos/advisories/2015-001-patch-r111.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2015-001-patch-r111.txt.asc [DRAFT ONLY: since those URLs will not work until the advisory is released, the patch follows. This patch is against release krb5-1.13. It will apply to krb5-1.12 and krb5-1.11 with some fuzz if the t_prf.c hunk is removed, and to krb5-1.10 if the mglueP.h hunk is also removed.] diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c index 3837931..f4d2a7c 100644 --- a/src/kadmin/server/kadm_rpc_svc.c +++ b/src/kadmin/server/kadm_rpc_svc.c @@ -4,7 +4,7 @@ * */ -#include <k5-platform.h> +#include <k5-int.h> #include <gssrpc/rpc.h> #include <gssapi/gssapi_krb5.h> /* for gss_nt_krb5_name */ #include <syslog.h> @@ -296,14 +296,8 @@ check_rpcsec_auth(struct svc_req *rqstp) c1 = krb5_princ_component(kctx, princ, 0); c2 = krb5_princ_component(kctx, princ, 1); realm = krb5_princ_realm(kctx, princ); - if (strncmp(handle->params.realm, realm->data, realm->length) == 0 - && strncmp("kadmin", c1->data, c1->length) == 0) { - - if (strncmp("history", c2->data, c2->length) == 0) - goto fail_princ; - else - success = 1; - } + success = data_eq_string(*realm, handle->params.realm) && + data_eq_string(*c1, "kadmin") && !data_eq_string(*c2, "history"); fail_princ: if (!success) { diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c index b3d1db0..a18cfb0 100644 --- a/src/lib/gssapi/krb5/context_time.c +++ b/src/lib/gssapi/krb5/context_time.c @@ -40,7 +40,7 @@ krb5_gss_context_time(minor_status, context_handle, time_rec) ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (! ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return(GSS_S_NO_CONTEXT); } diff --git a/src/lib/gssapi/krb5/export_sec_context.c b/src/lib/gssapi/krb5/export_sec_context.c index 18a3a34..1b3de68 100644 --- a/src/lib/gssapi/krb5/export_sec_context.c +++ b/src/lib/gssapi/krb5/export_sec_context.c @@ -45,6 +45,11 @@ krb5_gss_export_sec_context(minor_status, context_handle, interprocess_token) *minor_status = 0; ctx = (krb5_gss_ctx_id_t) *context_handle; + if (ctx->terminated) { + *minor_status = KG_CTX_INCOMPLETE; + return (GSS_S_NO_CONTEXT); + } + context = ctx->k5_context; kret = krb5_gss_ser_init(context); if (kret) diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index 7e807cc..a0e8625 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -206,6 +206,7 @@ typedef struct _krb5_gss_ctx_id_rec { unsigned int established : 1; unsigned int have_acceptor_subkey : 1; unsigned int seed_init : 1; /* XXX tested but never actually set */ + unsigned int terminated : 1; OM_uint32 gss_flags; unsigned char seed[16]; krb5_gss_name_t here; diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c index 6456b23..77b7fff 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.c +++ b/src/lib/gssapi/krb5/gssapi_krb5.c @@ -369,7 +369,7 @@ krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (!ctx->established) + if (ctx->terminated || !ctx->established) return GSS_S_NO_CONTEXT; for (i = 0; i < sizeof(krb5_gss_inquire_sec_context_by_oid_ops)/ diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c index eacb0fd..096df2a 100644 --- a/src/lib/gssapi/krb5/inq_context.c +++ b/src/lib/gssapi/krb5/inq_context.c @@ -105,7 +105,7 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name, ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (! ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return(GSS_S_NO_CONTEXT); } diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c index 7665cba..f1c74dd 100644 --- a/src/lib/gssapi/krb5/k5seal.c +++ b/src/lib/gssapi/krb5/k5seal.c @@ -342,7 +342,7 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req, ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (! ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return(GSS_S_NO_CONTEXT); } diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c index a129670..b53e348 100644 --- a/src/lib/gssapi/krb5/k5sealiov.c +++ b/src/lib/gssapi/krb5/k5sealiov.c @@ -281,7 +281,7 @@ kg_seal_iov(OM_uint32 *minor_status, } ctx = (krb5_gss_ctx_id_rec *)context_handle; - if (!ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return GSS_S_NO_CONTEXT; } diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c index 0573958..673c883 100644 --- a/src/lib/gssapi/krb5/k5unseal.c +++ b/src/lib/gssapi/krb5/k5unseal.c @@ -492,7 +492,7 @@ kg_unseal(minor_status, context_handle, input_token_buffer, ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (! ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return(GSS_S_NO_CONTEXT); } diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c index f34d802..8b67042 100644 --- a/src/lib/gssapi/krb5/k5unsealiov.c +++ b/src/lib/gssapi/krb5/k5unsealiov.c @@ -625,7 +625,7 @@ kg_unseal_iov(OM_uint32 *minor_status, OM_uint32 code; ctx = (krb5_gss_ctx_id_rec *)context_handle; - if (!ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return GSS_S_NO_CONTEXT; } diff --git a/src/lib/gssapi/krb5/lucid_context.c b/src/lib/gssapi/krb5/lucid_context.c index 85df7fd..449e71f 100644 --- a/src/lib/gssapi/krb5/lucid_context.c +++ b/src/lib/gssapi/krb5/lucid_context.c @@ -75,6 +75,11 @@ gss_krb5int_export_lucid_sec_context( *minor_status = 0; *data_set = GSS_C_NO_BUFFER_SET; + if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } + retval = generic_gss_oid_decompose(minor_status, GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID, GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH, diff --git a/src/lib/gssapi/krb5/prf.c b/src/lib/gssapi/krb5/prf.c index e19291f..e897074 100644 --- a/src/lib/gssapi/krb5/prf.c +++ b/src/lib/gssapi/krb5/prf.c @@ -58,6 +58,10 @@ krb5_gss_pseudo_random(OM_uint32 *minor_status, ns.data = NULL; ctx = (krb5_gss_ctx_id_t)context; + if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } switch (prf_key) { case GSS_C_PRF_KEY_FULL: diff --git a/src/lib/gssapi/krb5/process_context_token.c b/src/lib/gssapi/krb5/process_context_token.c index ae33180..a672f48 100644 --- a/src/lib/gssapi/krb5/process_context_token.c +++ b/src/lib/gssapi/krb5/process_context_token.c @@ -39,11 +39,18 @@ krb5_gss_process_context_token(minor_status, context_handle, ctx = (krb5_gss_ctx_id_t) context_handle; - if (! ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return(GSS_S_NO_CONTEXT); } + /* We only support context deletion tokens for now, and RFC 4121 does not + * define a context deletion token. */ + if (ctx->proto) { + *minor_status = 0; + return(GSS_S_DEFECTIVE_TOKEN); + } + /* "unseal" the token */ if (GSS_ERROR(majerr = kg_unseal(minor_status, context_handle, @@ -52,8 +59,8 @@ krb5_gss_process_context_token(minor_status, context_handle, KG_TOK_DEL_CTX))) return(majerr); - /* that's it. delete the context */ - - return(krb5_gss_delete_sec_context(minor_status, &context_handle, - GSS_C_NO_BUFFER)); + /* Mark the context as terminated, but do not delete it (as that would + * leave the caller with a dangling context handle). */ + ctx->terminated = 1; + return(GSS_S_COMPLETE); } diff --git a/src/lib/gssapi/krb5/wrap_size_limit.c b/src/lib/gssapi/krb5/wrap_size_limit.c index 7bc4221..ed5c599 100644 --- a/src/lib/gssapi/krb5/wrap_size_limit.c +++ b/src/lib/gssapi/krb5/wrap_size_limit.c @@ -95,7 +95,7 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag, } ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (! ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return(GSS_S_NO_CONTEXT); } diff --git a/src/lib/gssapi/mechglue/mglueP.h b/src/lib/gssapi/mechglue/mglueP.h index e56b9c1..2b5145e 100644 --- a/src/lib/gssapi/mechglue/mglueP.h +++ b/src/lib/gssapi/mechglue/mglueP.h @@ -25,7 +25,6 @@ do { \ */ typedef struct gss_union_ctx_id_struct { struct gss_union_ctx_id_struct *loopback; - struct gss_union_ctx_id_struct *interposer; gss_OID mech_type; gss_ctx_id_t internal_ctx_id; } gss_union_ctx_id_desc, *gss_union_ctx_id_t; diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c index 42ac783..975f94c 100644 --- a/src/lib/kadm5/kadm_rpc_xdr.c +++ b/src/lib/kadm5/kadm_rpc_xdr.c @@ -320,6 +320,7 @@ bool_t xdr_krb5_tl_data(XDR *xdrs, krb5_tl_data **tl_data_head) free(tl); tl = tl2; } + *tl_data_head = NULL; break; case XDR_ENCODE: @@ -1096,6 +1097,7 @@ xdr_krb5_principal(XDR *xdrs, krb5_principal *objp) case XDR_FREE: if(*objp != NULL) krb5_free_principal(context, *objp); + *objp = NULL; break; } return TRUE; diff --git a/src/lib/rpc/auth_gssapi_misc.c b/src/lib/rpc/auth_gssapi_misc.c index 53bdb98..a05ea19 100644 --- a/src/lib/rpc/auth_gssapi_misc.c +++ b/src/lib/rpc/auth_gssapi_misc.c @@ -322,7 +322,6 @@ bool_t auth_gssapi_unwrap_data( if (! (*xdr_func)(&temp_xdrs, xdr_ptr)) { PRINTF(("gssapi_unwrap_data: deserializing arguments failed\n")); gss_release_buffer(minor, &out_buf); - xdr_free(xdr_func, xdr_ptr); XDR_DESTROY(&temp_xdrs); return FALSE; } diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c index 09a3534..b81c4a3 100644 --- a/src/lib/rpc/svc_auth_gss.c +++ b/src/lib/rpc/svc_auth_gss.c @@ -65,16 +65,6 @@ extern const gss_OID_desc * const gss_mech_spkm3; extern SVCAUTH svc_auth_none; -/* - * from mit-krb5-1.2.1 mechglue/mglueP.h: - * Array of context IDs typed by mechanism OID - */ -typedef struct gss_union_ctx_id_t { - gss_OID mech_type; - gss_ctx_id_t internal_ctx_id; -} gss_union_ctx_id_desc, *gss_union_ctx_id_t; - - static auth_gssapi_log_badauth_func log_badauth = NULL; static caddr_t log_badauth_data = NULL; static auth_gssapi_log_badauth2_func log_badauth2 = NULL; @@ -239,16 +229,8 @@ svcauth_gss_accept_sec_context(struct svc_req *rqst, gd->ctx = GSS_C_NO_CONTEXT; goto errout; } - /* - * ANDROS: krb5 mechglue returns ctx of size 8 - two pointers, - * one to the mechanism oid, one to the internal_ctx_id - */ - if ((gr->gr_ctx.value = mem_alloc(sizeof(gss_union_ctx_id_desc))) == NULL) { - fprintf(stderr, "svcauth_gss_accept_context: out of memory\n"); - goto errout; - } - memcpy(gr->gr_ctx.value, gd->ctx, sizeof(gss_union_ctx_id_desc)); - gr->gr_ctx.length = sizeof(gss_union_ctx_id_desc); + gr->gr_ctx.value = "xxxx"; + gr->gr_ctx.length = 4; /* gr->gr_win = 0x00000005; ANDROS: for debugging linux kernel version... */ gr->gr_win = sizeof(gd->seqmask) * 8; @@ -520,8 +502,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg, if (!svcauth_gss_nextverf(rqst, htonl(gr.gr_win))) { gss_release_buffer(&min_stat, &gr.gr_token); - mem_free(gr.gr_ctx.value, - sizeof(gss_union_ctx_id_desc)); ret_freegc (AUTH_FAILED); } *no_dispatch = TRUE; @@ -531,7 +511,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg, gss_release_buffer(&min_stat, &gr.gr_token); gss_release_buffer(&min_stat, &gd->checksum); - mem_free(gr.gr_ctx.value, sizeof(gss_union_ctx_id_desc)); if (!call_stat) ret_freegc (AUTH_FAILED); diff --git a/src/tests/gssapi/t_prf.c b/src/tests/gssapi/t_prf.c index 254f8fb..7f04899 100644 --- a/src/tests/gssapi/t_prf.c +++ b/src/tests/gssapi/t_prf.c @@ -127,6 +127,7 @@ main(int argc, char *argv[]) uctx.mech_type = &mech_krb5; uctx.internal_ctx_id = (gss_ctx_id_t)&kgctx; kgctx.k5_context = NULL; + kgctx.established = 1; kgctx.have_acceptor_subkey = 1; kb1.contents = k1buf; kb2.contents = k2buf; REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9421 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9422 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9423 ACKNOWLEDGMENTS =============== Thanks to Nico Williams for helping with analysis of CVE-2014-5352. CONTACT ======= The MIT Kerberos Team security contact address is <krbcore-security@mit.edu>. When sending sensitive information, please PGP-encrypt it using the following key: pub 3072R/760FCCD9 2015-01-06 [expires: 2016-02-01] Key fingerprint = 00D9 5731 89FA AC2D D72E 6319 BD1E A606 760F CCD9 uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu> DETAILS ======= CVE-2014-5352: gss_process_context_token() incorrectly frees context The krb5 mechanism implementation of gss_process_context_token(), upon successfully validating a deletion token, frees the security context structure. This behavior is incorrect as the API has no way to alert the caller that the security context was deleted. The application is left with a valid pointer to a mechglue security context structure, containing a dangling pointer to a freed krb5 security context structure. Any further use of this handle will result in a use-after-free violation and eventually a double-free when the handle is deleted with gss_delete_sec_context(). This vulnerability could theoretically lead to the execution of malicious code, but that is believed to be difficult. Applications which call gss_process_context_token() are believed to be rare, but the server code in the old flavor of libgssrpc GSS-API authentication can be induced to call gss_process_context_token(). In release krb5-1.9 and earlier, the krb5 GSS mechanism contained pointer validation code which should prevent subsequent dereferences of the freed pointer. In these earlier releases, the vulnerability is believed to be limited to a memory leak because gss_delete_sec_context() will not free the mechglue security context structure. CVE-2014-9421: kadmind doubly frees partial deserialization results libgssrpc applications use the XDR serialization format. XDR data is serialized, deserialized, and freed using an application function, often generated by the rpcgen command. If an application receives incorrectly serialized data from the client, the XDR function will return false to report a deserialization failure, perhaps leaving behind partial deserialization results. To avoid a memory leak, these partial results must be freed with another invocation of the XDR function. In a server application, this cleanup is performed automatically by svc_getargs(). If the AUTH_GSSAPI authentication flavor is used, the cleanup is also erroneously performed by the internal unwrap function, so the XDR function is invoked twice to clean up the partial results. XDR functions can be defensive about being invoked twice for cleanup by assigning pointer values to NULL after freeing them. Most XDR functions do this, but the XDR functions within libkadm5 for principal names and tag-length data do not. When these functions are invoked twice by libgssrpc to clean up a value, the second invocations perform use-after-free and double-free memory access violations. These XDR functions are only exposed to an authenticated attacker. This vulnerability could theoretically lead to the execution of malicious code, but that is believed to be difficult. Client applications are not believed to be vulnerable because clnt_call() and client stub functions do not free partial deserialization results. CVE-2014-9422: kadmind incorrectly validates server principal When kadmind receives a request using the RPCSEC_GSS authentication flavor, it queries the GSS-API security context for the server principal name and attempts to verify that it is a two-component principal name where the first component is "kadmin", the second component is not "history", and the realm is the default realm. The validation function incorrectly uses strcmp() to compare the length-counted principal name components against null-terminated C strings for "kadmin", "history", and the default realm. These comparisons erroneously succeed for left substrings of the of the desired C strings, so for example a first principal name component of "ka" would be accepted. kadmind can receive authentications to any server principal entry in the Kerberos database (excluding entries with either the DISALLOW_SVR or DISALLOW_ALL_TIX flags set). If the database contains an erroneously matching principal entry such as "ka/x", and an attacker knows the key for that entry, the attacker can conduct an escalation of privilege attack by forging tickets from any client principal name to that server principal. By picking a client principal name with administrative privileges, the attacker could perform arbitrary administrative operations on the Kerberos database. CVE-2014-9423: libgssrpc servers output uninitialized bytes RFC 2203 defines structures for the RPCSEC_GSS authentication flavor. The rpc_gss_init_res structure which conveys responses to the client contains an opaque "handle" field which is supposed to be used to identify the GSS-API security context. The client mirrors this field back to the server in the "handle" field of rpc_gss_cred_vers_1_t in subsequent requests. The MIT krb5 implementation of RPCSEC_GSS does not use the handle to find the GSS-API context, but it still provides a handle value to the client. To provide this value, it copies the first eight or sixteen bytes out of the GSS-API security context handle. (The number of bytes depends on the platform's pointer size; it is eight bytes on a 32-bit platform and sixteen bytes on a 64-bit platform.) In release krb5-1.11, an unused "interposer" field was added to the mechglue GSS security context structure as the second pointer field. Because this field is unused, it remains uninitialized, so the second half of the bytes copied from the GSS security context handle are uninitialized. The contents of the uninitialized bytes could contain any heap data previously freed by the application or any library it uses. The MIT Kerberos libraries and kadmind are generally careful to zero out sensitive data such as Kerberos key data before freeing it, but there is nevertheless a risk of leakage of a small amount of sensitive data to the network. REVISION HISTORY ================ 2015-02-03 original release Copyright (C) 2015 Massachusetts Institute of Technology
Peter, I checked the krb 1.5.6 code in SUSE:SLE-11-SP1:Update:Test krb5 and the patches would largely apply as-is. I think they are affected... What makes you think they are not? (Upstream is not listing all old versions.)
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-02-04. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60418
(In reply to Marcus Meissner from comment #6) Ping. This becomes public tomorrow, can you please provide submits?
This is an autogenerated message for OBS integration: This bug (912002) was mentioned in https://build.opensuse.org/request/show/283811 13.2 / krb5 https://build.opensuse.org/request/show/283812 13.2 / krb5+krb5-mini
(Actually opensUSE should have waited until security team gives the official "GO GO GO". As it gets public today, we might overlook that.) Please also submit fixed packages for SLE11.
Is public http://www.securityfocus.com/archive/1/534613
openSUSE-SU-2015:0255-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 897874,898439,912002 CVE References: CVE-2014-5351,CVE-2014-5352,CVE-2014-9421,CVE-2014-9422,CVE-2014-9423 Sources used: openSUSE 13.2 (src): krb5-1.12.2-6.1, krb5-mini-1.12.2-6.1
SUSE-SU-2015:0257-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 872912,906557,912002 CVE References: CVE-2014-5352,CVE-2014-9421,CVE-2014-9422,CVE-2014-9423 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): krb5-1.6.3-133.49.66.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): krb5-1.6.3-133.49.66.1, krb5-doc-1.6.3-133.49.66.1, krb5-plugins-1.6.3-133.49.66.1 SUSE Linux Enterprise Server 11 SP3 (src): krb5-1.6.3-133.49.66.1, krb5-doc-1.6.3-133.49.66.1, krb5-plugins-1.6.3-133.49.66.1 SUSE Linux Enterprise Desktop 11 SP3 (src): krb5-1.6.3-133.49.66.1
SUSE-SU-2015:0290-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 897874,898439,912002 CVE References: CVE-2014-5351,CVE-2014-5352,CVE-2014-9421,CVE-2014-9422,CVE-2014-9423 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): krb5-1.12.1-9.1 SUSE Linux Enterprise Server 12 (src): krb5-1.12.1-9.1 SUSE Linux Enterprise Build System Kit 12 (src): krb5-mini-1.12.1-9.1
SUSE-SU-2015:0290-2: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 897874,898439,912002 CVE References: CVE-2014-5351,CVE-2014-5352,CVE-2014-9421,CVE-2014-9422,CVE-2014-9423 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): krb5-1.12.1-9.1 SUSE Linux Enterprise Server 12 (src): krb5-1.12.1-9.1 SUSE Linux Enterprise Desktop 12 (src): krb5-1.12.1-9.1 SUSE Linux Enterprise Build System Kit 12 (src): krb5-mini-1.12.1-9.1
We received positive feedback from the customer. We're good to close. Thank you!
Fixed
looks all released