Bug 991088 (CVE-2016-3120) - VUL-1: CVE-2016-3120: krb5: S4U2Self KDC crash when anon is restricted
Summary: VUL-1: CVE-2016-3120: krb5: S4U2Self KDC crash when anon is restricted
Status: RESOLVED FIXED
Alias: CVE-2016-3120
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Howard Guo
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/171398/
Whiteboard: CVSSv2:SUSE:CVE-2016-3120:2.1:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-28 14:18 UTC by Andreas Stieger
Modified: 2016-09-08 20:08 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-07-28 14:18:44 UTC 
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8458

CVE-2016-3120:

In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
to dereference a null pointer if the restrict_anonymous_to_tgt option
is set to true, by making an S4U2Self request.



Fix S4U2Self KDC crash when anon is restricted

In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
use client.princ instead of request->client; the latter is NULL when
validating S4U2Self requests.



  CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C

https://github.com/krb5/krb5/commit/93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7
Author: Greg Hudson <ghudson@mit.edu>
Commit: 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7
Branch: master
 src/kdc/kdc_util.c    |    2 +-
 src/tests/t_pkinit.py |    5 +++++
 2 files changed, 6 insertions(+), 1 deletions(-)






References:
https://bugzilla.redhat.com/show_bug.cgi?id=1361050
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3120
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3120.html
Comment 1 Swamp Workflow Management 2016-07-28 22:02:10 UTC 
bugbot adjusting priority
Comment 2 Howard Guo 2016-07-29 09:25:02 UTC 
Updates are on their way to all SPs.
Comment 3 Howard Guo 2016-07-29 09:25:11 UTC 
Updates are on their way to all SPs.
Comment 5 Sebastian Krahmer 2016-08-23 13:23:20 UTC 
do we need opensuse?
Comment 6 Swamp Workflow Management 2016-08-23 17:09:02 UTC 
SUSE-SU-2016:2136-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 991088
CVE References: CVE-2016-3120
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    krb5-1.12.1-36.4
SUSE Linux Enterprise Server 12-SP1 (src):    krb5-1.12.1-36.4
SUSE Linux Enterprise Desktop 12-SP1 (src):    krb5-1.12.1-36.4
Comment 7 Howard Guo 2016-08-24 08:06:23 UTC 
Don't worry, opensuse already had the newer version of Kerberos with the patch already applied.
Comment 8 Sebastian Krahmer 2016-08-24 08:23:18 UTC 
nice, so this bug can be closed as resolved. thx :)
Comment 9 Swamp Workflow Management 2016-09-08 20:08:54 UTC 
openSUSE-SU-2016:2268-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 991088
CVE References: CVE-2016-3120
Sources used:
openSUSE Leap 42.1 (src):    krb5-1.12.1-36.3, krb5-mini-1.12.1-36.1