918595 – (CVE-2014-5355) VUL-0: CVE-2014-5355: krb5: denial of service in krb5_read_message

Bug 918595 (CVE-2014-5355) - VUL-0: CVE-2014-5355: krb5: denial of service in krb5_read_message

Summary: VUL-0: CVE-2014-5355: krb5: denial of service in krb5_read_message

Status:	RESOLVED FIXED

Alias:	CVE-2014-5355

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2015-03-12
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/113987/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-02-19 11:06 UTC by Johannes Segitz
Modified:	2017-05-15 22:42 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2015-02-19 11:06:16 UTC

In MIT krb5, when a server process uses the krb5_recvauth function, an
unauthenticated remote attacker can cause a NULL dereference by
sending a zero-byte version string, or a read beyond the end of
allocated storage by sending a non-null-terminated version string.
The example user-to-user server application (uuserver) is similarly
vulnerable to a zero-length or non-null-terminated principal name
string.

The krb5_recvauth function reads two version strings from the client
using krb5_read_message(), which produces a krb5_data structure
containing a length and a pointer to an octet sequence.  krb5_recvauth
assumes that the data pointer is a valid C string and passes it to
strcmp() to verify the versions.  If the client sends an empty octet
sequence, the data pointer will be NULL and strcmp() will dereference
a NULL pointer, causing the process to crash.  If the client sends a
non-null-terminated octet sequence, strcmp() will read beyond the end
of the allocated storage, possibly causing the process to crash.

uuserver similarly uses krb5_read_message() to read a client principal
name, and then passes it to printf() and krb5_parse_name() without
verifying that it is a valid C string.

The krb5_recvauth function is used by kpropd and the Kerberized
versions of the BSD rlogin and rsh daemons.  These daemons are usually
run out of inetd or in a mode which forks before processing incoming
connections, so a process crash will generally not result in a
complete denial of service.

Thanks to Tim Uglow for discovering this issue.

Fix: https://github.com/krb5/krb5/commit/102bb6ebf20f9174130c85c3b052ae104e5073ec

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1193939
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5355
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-5355.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5355

Comment 1 Swamp Workflow Management 2015-02-19 23:00:14 UTC

bugbot adjusting priority

Comment 2 Swamp Workflow Management 2015-02-26 14:53:44 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-03-12.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60833

Comment 3 Marcus Meissner 2015-03-11 10:04:25 UTC

ping? please submit

Comment 5 Bernhard Wiedemann 2015-03-11 20:00:07 UTC

This is an autogenerated message for OBS integration:
This bug (918595) was mentioned in
https://build.opensuse.org/request/show/290343 13.2+13.1 / krb5+krb5-mini

Comment 7 Swamp Workflow Management 2015-03-19 18:06:29 UTC

openSUSE-SU-2015:0542-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 910457,910458,918595
CVE References: CVE-2014-5353,CVE-2014-5354,CVE-2014-5355
Sources used:
openSUSE 13.2 (src):    krb5-1.12.2-12.1, krb5-mini-1.12.2-12.1
openSUSE 13.1 (src):    krb5-1.11.3-3.18.1, krb5-mini-1.11.3-3.18.1

Comment 17 Swamp Workflow Management 2015-07-22 11:08:26 UTC

SUSE-SU-2015:1276-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 910457,910458,918595,928978
CVE References: CVE-2014-5353,CVE-2014-5354,CVE-2014-5355,CVE-2015-2694
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    krb5-1.12.1-16.1
SUSE Linux Enterprise Server 12 (src):    krb5-1.12.1-16.1

Comment 19 Swamp Workflow Management 2015-07-23 16:09:02 UTC

SUSE-SU-2015:1282-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 910457,910458,918595
CVE References: CVE-2014-5353,CVE-2014-5354,CVE-2014-5355
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    krb5-1.6.3-133.49.68.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    krb5-1.6.3-133.49.68.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    krb5-1.6.3-133.49.68.1, krb5-doc-1.6.3-133.49.68.2, krb5-plugins-1.6.3-133.49.68.1
SUSE Linux Enterprise Server 11-SP4 (src):    krb5-1.6.3-133.49.68.1, krb5-doc-1.6.3-133.49.68.2, krb5-plugins-1.6.3-133.49.68.1
SUSE Linux Enterprise Server 11-SP3 (src):    krb5-1.6.3-133.49.68.1, krb5-doc-1.6.3-133.49.68.2, krb5-plugins-1.6.3-133.49.68.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    krb5-1.6.3-133.49.68.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    krb5-1.6.3-133.49.68.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    krb5-1.6.3-133.49.68.1

Comment 23 Andreas Stieger 2015-07-27 13:10:20 UTC

all released

Comment 24 Bernhard Wiedemann 2015-08-03 08:00:06 UTC

This is an autogenerated message for OBS integration:
This bug (918595) was mentioned in
https://build.opensuse.org/request/show/320084 42 / krb5