Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 145337 Details for
Bug 212363
app-crypt/mit-krb5 < 1.6.3 MITKRB5-SA-{2008-001|2008-002} (CVE-2008-{0062,0063,0947,0948})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
MITKRB5-SA-2008-002
MITKRB5-SA-2008-002 (text/plain), 9.80 KB, created by
Sune Kloppenborg Jeppesen (RETIRED)
on 2008-03-05 10:05:10 UTC
(
hide
)
Description:
MITKRB5-SA-2008-002
Filename:
MIME Type:
Creator:
Sune Kloppenborg Jeppesen (RETIRED)
Created:
2008-03-05 10:05:10 UTC
Size:
9.80 KB
patch
obsolete
>The MIT Kerberos Team is aware of the following vulnerabilities in the >MIT krb5 software.  Please treat this information as confidential, and >do not publicly disseminate it prior to our public disclosure.  Also, >please do not use un-encrypted communications to discuss this >vulnerability. > >We have drafted MITKRB5-SA-2008-002 describing these vulnerabilities. > >We plan to publish no sooner than Tuesday, 18 March 2008, at 14:00 >US/Eastern time.  We plan to notify CERT/CC and vendor-sec@lst.de on >4 March 2008, but only provide them with summary text.  Vendors >contacted through CERT/CC or vendor-sec will be requested to contact >us directly for details.  We will post our public disclosure to the >kerberos-announce@mit.edu and bugtraq@securityfocus.com mailing lists. > >Please let us know if you have any concerns about this disclosure >timeline.  Also, please send us any comments you have concerning the >advisory text or the patches.  Our preferred security contact PGP key, >is available on the keyserver pgp.mit.edu: > >pub  1024D/2915318C 2008-01-18 [expires: 2009-02-01] >uid   MIT Kerberos Team Security Contact <krbcore-security@mit.edu> >sub  2048g/3A91A276 2008-01-18 [expires: 2009-02-01] > >As part of our effort to improve our vendor coordination process, >please tell us which releases of MIT krb5 you use in your products, as >well as which components. > >====================================================================== > >*** CONFIDENTIAL PRERELEASE VULNERABILITY INFORMATION *** > >DRAFT - DO NOT PUBLISH - DRAFT - DO NOT PUBLISH - DRAFT - DO NOT PUBLISH > >MITKRB5-SA-2008-002 > >MIT krb5 Security Advisory 2008-002 >Original release: YYYY-MM-DD >Last update: YYYY-MM-DD > >Topic: array overrun in RPC library used by kadmind > >CVE-2008-0947, CVE-2008-0948 >VU#NNNNNN >Use of high-numbered file descriptors in the RPC library, used by >kadmind, can cause references past the end of an array. > >CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:P/RL:T/RC:C > >CVSSv2 Base Score:    10 > >Access Vector:      Network >Access Complexity:    Low >Authentication:     None >Confidentiality Impact: Complete >Integrity Impact:    Complete >Availability Impact:   Complete > >CVSSv2 Temporal Score:  7.8 > >Exploitability:     Proof-of-Concept >Remediation Level:    Official fix >Report Confidence:    Confirmed > >SUMMARY >======= > >Two bugs in the RPC library server code, used in the kadmin server, >causes an array overrun if too many file descriptors are opened. >Memory corruption can result. > >IMPACT >====== > >An unauthenticated remote attacker can cause memory corruption in the >kadmind process, which is likely to cause kadmind to crash, resulting >in a denial of service.  It is at least theoretically possible for >such corruption to result in database corruption or arbitrary code >execution, though we have no such exploit and are not aware of any >such exploits in use in the wild. > >CVE-2008-0947: In 1.4 and later, this bug can only be triggered in >configurations that allow large numbers of open file descriptors in a >process. > >CVE-2008-0948: In versions before 1.3, this bug can be triggered in >similar circumstances, but is further limited to platforms not >defining certain macros in certain C system header files.  Solaris 10 >and Mac OS X 10.4 appear to be unaffected, while GNU libc systems >(e.g., many GNU/Linux distributions) are.  It appears that in at least >some cases kadmind will simply exit after getting a "bad file >descriptor" error, but this cannot be guaranteed. > >AFFECTED SOFTWARE >================= > >CVE-2008-0947: libgssrpc and kadmind, from krb5-1.4 through krb5-1.6.3 > >CVE-2008-0948: libgssrpc and kadmind, in krb5-1.2.2 and probably most >other versions before 1.3, on systems where <unistd.h> does not define >FD_SETSIZE. > >FIXES >===== > >* Workaround: Check the system header files for the value of > FD_SETSIZE.  Use "ulimit -n" or "limit descriptors" in the shell > invoking kadmind to limit the number of open file descriptors to > FD_SETSIZE or less, before starting kadmind.  Then the operating > system will prevent the use of file descriptors large enough to > exploit this bug. > >* Apply the following patch for krb5-1.4 and later: > >=== src/lib/rpc/svc.c >================================================================== >--- src/lib/rpc/svc.c   (revision 1666) >+++ src/lib/rpc/svc.c   (local) >@@ -109,15 +109,17 @@ >        if (sock < FD_SETSIZE) { >                xports[sock] = xprt; >                FD_SET(sock, &svc_fdset); >+               if (sock > svc_maxfd) >+                       svc_maxfd = sock; >        } > #else >        if (sock < NOFILE) { >                xports[sock] = xprt; >                svc_fds |= (1 << sock); >+               if (sock > svc_maxfd) >+                       svc_maxfd = sock; >        } > #endif /* def FD_SETSIZE */ >-       if (sock > svc_maxfd) >-               svc_maxfd = sock; > } > > /* >=== src/lib/rpc/svc_tcp.c >================================================================== >--- src/lib/rpc/svc_tcp.c       (revision 1666) >+++ src/lib/rpc/svc_tcp.c       (local) >@@ -54,6 +54,14 @@ > extern errno; > */ > >+#ifndef FD_SETSIZE >+#ifdef NBBY >+#define NOFILE (sizeof(int) * NBBY) >+#else >+#define NOFILE (sizeof(int) * 8) >+#endif >+#endif >+ > /* > * Ops vector for TCP/IP based rpc service handle > */ >@@ -215,6 +223,19 @@ >        register SVCXPRT *xprt; >        register struct tcp_conn *cd; > >+#ifdef FD_SETSIZE >+       if (fd >= FD_SETSIZE) { >+               (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); >+               xprt = NULL; >+               goto done; >+       } >+#else >+       if (fd >= NOFILE) { >+               (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); >+               xprt = NULL; >+               goto done; >+       } >+#endif >        xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT)); >        if (xprt == (SVCXPRT *)NULL) { >                (void) fprintf(stderr, "svc_tcp: makefd_xprt: out of memory\n"); >@@ -271,6 +292,10 @@ >        * make a new transporter (re-uses xprt) >        */ >        xprt = makefd_xprt(sock, r->sendsize, r->recvsize); >+       if (xprt == NULL) { >+               close(sock); >+               return (FALSE); >+       } >        xprt->xp_raddr = addr; >        xprt->xp_addrlen = len; >        xprt->xp_laddr = laddr; > > This patch will result in too-high-numbered file descriptors being > immediately closed after the connection comes in.  Clients will see > connections established, and then closed; a "GSS-API (or Kerberos) > error while initializing kadmin interface" will eventually result. > Once some of the lower-numbered file descriptors are closed, clients > will be able to get useful connections again. > >* Apply the following patch for krb5-1.2.2 and probably other pre-1.3 > versions: > >Index: src/lib/rpc/rpc_dtablesize.c >=================================================================== >--- src/lib/rpc/rpc_dtablesize.c        (revision 20237) >+++ src/lib/rpc/rpc_dtablesize.c        (working copy) >@@ -32,6 +32,7 @@ > #endif > > #include <unistd.h> >+#include <gssrpc/rpc.h> > > /* > * Cache the result of getdtablesize(), so we don't have to do an > > >* The next release from MIT (1.6.4) will include a fix. > >REFERENCES >========== > >This announcement is posted at: > > http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt > >This announcement and related security advisories may be found on the >MIT Kerberos security advisory page at: > >    http://web.mit.edu/kerberos/advisories/index.html > >The main MIT Kerberos web page is at: > >    http://web.mit.edu/kerberos/index.html > >CVSSv2: > >  http://www.first.org/cvss/cvss-guide.html >  http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 > >CVE: CVE-2008-0947 >http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0947 > >CVE: CVE-2008-0948 >http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0948 > >CERT: VU#NNNNNN >http://www.kb.cert.org/vuls/id/NNNNNN > >ACKNOWLEDGMENTS >=============== > >Thanks to Jeff Altman of Secure Endpoints for discovering and >reporting this problem in 1.6.3. > >Thanks to the Red Hat Security Response Team for noting that 1.2.2 was >also affected by the same problem, for different reasons. > >CONTACT >======= > >The MIT Kerberos Team security contact address is ><krbcore-security@mit.edu>.  When sending sensitive information, >please PGP-encrypt it using the following key: > >pub  1024D/2915318C 2008-01-18 [expires: 2009-02-01] >uid   MIT Kerberos Team Security Contact <krbcore-security@mit.edu> >sub  2048g/3A91A276 2008-01-18 [expires: 2009-02-01] > >DETAILS >======= > >The variable svc_maxfd tracks the highest-numbered file descriptor >registered with the RPC library as a transport handle.  While the >registration function does check that the file descriptor number is >less than FD_SETSIZE for array references, the code for updating >svc_maxfd is not so protected.  Elsewhere, svc_maxfd is used as an >upper bound for array indexing, and as the maximum file descriptor >number to pass to select(). > >In 1.2.2, the variable is called max_xport, and is checked against the >value returned by _gssrpc_rpc_dtablesize(), but while that function >checks FD_SETSIZE if it's defined, the source file containing it only >includes unistd.h, which doesn't define FD_SETSIZE on all platforms. >In kadmind, the value from _gssrpc_rpc_dtablesize() is also passed to >select() as the maximum file descriptor number. > >REVISION HISTORY >================ > >YYYY-MM-DD    original release > >Copyright (C) 2008 Massachusetts Institute of Technology
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=145337">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 212363
:
145336
| 145337 |
146508
|
146509
|
146510
|
146511
|
146512
