MITKRB5-SA-2010-005 MIT krb5 Security Advisory 2010-005 Original release: 2010-05-18 Topic: GSS-API library null pointer dereference CVE-2010-1321 CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 6.8 Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 5.3 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= Certain invalid GSS-API tokens can cause a GSS-API acceptor (server) to crash due to a null pointer dereference in the GSS-API library. This is an implementation vulnerability in MIT krb5, and not a vulnerability in the Kerberos protocol. IMPACT ====== An authenticated remote attacker can cause a GSS-API application server (including the Kerberos administration daemon kadmind) to crash by sending a malformed GSS-API token that induces a null pointer dereference. AFFECTED SOFTWARE ================= * kadmind and other GSS-API server applications in all known releases of MIT krb5, up to and including krb5-1.8.1 * third-party GSS-API server applications that link link against the GSS-API library in all known releases of MIT krb5, up to and including krb5-1.8.1 * Independent implementations of the krb5 GSS-API mechanism may be vulnerable, as the underlying bug is based on plausible (but invalid) assumptions about the Kerberos protocol. FIXES ===== * The upcoming krb5-1.8.2 release and an upcoming krb5-1.7 series release will contain a fix for this vulnerability. * Apply the following patch. The patch was generated against krb5-1.8.1, but should also apply to krb5-1.7 series releases. diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index ce3075f..6241055 100644 - --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -607,6 +607,13 @@ kg_accept_krb5(minor_status, context_handle, } #endif + if (authdat->checksum == NULL) { + /* missing checksum counts as "inappropriate type" */ + code = KRB5KRB_AP_ERR_INAPP_CKSUM; + major_status = GSS_S_FAILURE; + goto fail; + } + if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) { /* Samba does not send 0x8003 GSS-API checksums */ krb5_boolean valid; This patch is also available at http://web.mit.edu/kerberos/advisories/2010-005-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2010-005-patch.txt.asc For the krb5-1.6 release: http://web.mit.edu/kerberos/advisories/2010-005-patch_r16.txt PGP-signed patch for krb5-1.6: http://web.mit.edu/kerberos/advisories/2010-005-patch_r16.txt.asc Earlier releases may require minor porting. REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-005.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2010-1321 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1321 ACKNOWLEDGMENTS =============== Thanks to Shawn Emery (Oracle) for reporting this vulnerability. CONTACT ======= The MIT Kerberos Team security contact address is <krbcore-security at mit.edu>. When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01] uid MIT Kerberos Team Security Contact <krbcore-security at mit.edu> DETAILS ======= The krb5 GSS-API mechanism specification requires that the checksum field in the authenticator of the Kerberos AP-REQ (which is optional in the base Kerberos protocol) be present and contain specific contents. If the checksum field is missing, the decoded structure contains a null pointer, which code called through krb5_gss_accept_sec_context() dereferences without first checking for a null pointer. Independent implementations of the krb5 GSS-API mechanism may be vulnerable because a developer might reasonably make the invalid assumption that the authenticator checksum field is not empty (and hence, that the C representation would not contain a null pointer). REVISION HISTORY ================ 2010-05-18 original release Copyright (C) 2010 Massachusetts Institute of Technology Reproducible: Always
Created attachment 232023 [details] mit-krb5-1.8.1-r1.ebuild
Created attachment 232025 [details] CVE-2010-1321.patch
Changelog: Patch for CVE-2010-1321. Disable rpath - bug #187201. Installs kerberos.schema - bug #318017. Ebuild clean up. Enable parallel make.
+*mit-krb5-1.8.1-r1 (23 May 2010) + + 23 May 2010; Jeremy Olexa <darkside@gentoo.org> +mit-krb5-1.8.1-r1.ebuild, + +files/CVE-2010-1321.patch: + Patch for CVE-2010-1321 - bug #320445. Disable rpath - bug #187201. + Installs kerberos.schema - bug #318017. Ebuild clean up. Enable parallel + make. Thanks to Eray Aslan
CVE-2010-1320 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1320): Double free vulnerability in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x before 1.8.2 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a request associated with (1) renewal or (2) validation.
CVE-2010-1321 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1321): The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing.
Please stabilize app-crypt/mt-krb5-1.8.2. See bug #323525
Moved CVEs to bug 323525.