MITKRB5-SA-2011-003 MIT krb5 Security Advisory 2011-003 Original release: 2011-03-15 Last update: 2011-03-15 Topic: KDC vulnerable to double-free when PKINIT enabled CVE-2011-0284 CVSSv2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 9.3 Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 7.3 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable to a double-free condition if the Public Key Cryptography for Initial Authentication (PKINIT) capability is enabled, resulting in daemon crash or arbitrary code execution (which is believed to be difficult). IMPACT ====== An unauthenticated remote attacker can induce a double-free event, causing the KDC daemon to crash (denial of service), or to execute arbitrary code. Exploiting a double-free event to execute arbitrary code is believed to be difficult. AFFECTED SOFTWARE ================= The KDC in releases krb5-1.7 and later are vulnerable, if they are configured to respond to PKINIT requests. Earlier releases did not contain the vulnerable code. Additionally, third-party preauthentication plugins that generate TYPED-DATA in the e-data field of a KRB-ERROR message may be vulnerable. FIXES ===== * Upcoming releases in the krb5-1.7, krb5-1.8, and krb5-1.9 series will contain fixes. * Apply the following patch: diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 46b5fa1..464cb6e 100644 - --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, pad->contents = td[size]->data; pad->length = td[size]->length; pa[size] = pad; + td[size]->data = NULL; + td[size]->length = 0; } krb5_free_typed_data(kdc_context, td); } This patch is also available at http://web.mit.edu/kerberos/advisories/2011-003-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2011-003-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-003.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2011-0284 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0284 ACKNOWLEDGMENTS =============== This issue was discovered by Cameron Meadors of Red Hat. CONTACT ======= The MIT Kerberos Team security contact address is <krbcore-security@mit.edu>. When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/56CD8F76 2010-12-29 [expires: 2012-02-01] uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu> DETAILS ======= In do_as_req.c, the function perpare_error_as() attempts to decode the e_data field both as preauth data and as typed data. If the e_data contents are typed data, they are converted to preauth data. This conversion can free pointers to the typed data items, and free them again when cleaning up the preauth data during function exit. REVISION HISTORY ================ 2011-03-15 original release Copyright (C) 2011 Massachusetts Institute of Technology Reproducible: Always
+*mit-krb5-1.9-r2 (16 Mar 2011) +*mit-krb5-1.8.3-r4 (16 Mar 2011) + + 16 Mar 2011; Eray Aslan <eras@gentoo.org> +mit-krb5-1.8.3-r4.ebuild, + +mit-krb5-1.9-r2.ebuild, +files/CVE-2011-0284.patch: + version bump - security bug #359129 + @security: =app-crypt/mit-krb5-1.8.3-r4 should be stabilized. Thanks.
Arches, please test and mark stable: =app-crypt/mit-krb5-1.8.3-r4 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
amd64 ok
ppc/ppc64 stable
Stable for HPPA.
x86 stable.
alpha/arm/ia64/m68k/s390/sh/sparc stable
amd64 done. Thanks Agostino
Thanks, everyone. Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201201-13 at http://security.gentoo.org/glsa/glsa-201201-13.xml by GLSA coordinator Sean Amoss (ackle).