Bug 1030743 (CVE-2013-1417)

Summary: CVE-2013-1417 krb5: KDC null deref due to referrals
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dpal, jkurik, jplans, jrusnack, nalin, nathaniel, pfrields, rmainz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: krb5 1.11.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 13:45:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1030744, 1030745    
Bug Blocks:    

Description Vincent Danen 2013-11-15 04:03:44 UTC 
From the upstream commit [1]:

An authenticated remote client can cause a KDC to crash by making a
valid TGS-REQ to a KDC serving a realm with a single-component name.
The process_tgs_req() function dereferences a null pointer because an
unusual failure condition causes a helper function to return success.

While attempting to provide cross-realm referrals for host-based
service principals, the find_referral_tgs() function could return a
TGS principal for a zero-length realm name (indicating that the
hostname in the service principal has no known realm associated with
it).

Subsequently, the find_alternate_tgs() function would attempt to
construct a path to this empty-string realm, and return success along
with a null pointer in its output parameter.  This happens because
krb5_walk_realm_tree() returns a list of length one when it attempts
to construct a transit path between a single-component realm and the
empty-string realm.  This list causes a loop in find_alternate_tgs()
to iterate over zero elements, resulting in the unexpected output of a
null pointer, which process_tgs_req() proceeds to dereference because
there is no error condition.

Add an error condition to find_referral_tgs() when
krb5_get_host_realm() returns an empty realm name.  Also add an error
condition to find_alternate_tgs() to handle the length-one output from
krb5_walk_realm_tree().

The vulnerable configuration is not likely to arise in practice.
(Realm names that have a single component are likely to be test
realms.)  Releases prior to krb5-1.11 are not vulnerable.

[1] https://github.com/krb5/krb5/commit/4c023ba43c16396f0d199e2df1cfa59b88b62acc
Comment 1 Vincent Danen 2013-11-15 04:05:42 UTC 
This only affects Fedora 19 as Fedora 18 ships with an older version (pre 1.11.x).


Statement:

Not vulnerable. This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 3 Vincent Danen 2013-11-15 04:06:47 UTC 
Created krb5 tracking bugs for this issue:

Affects: fedora-19 [bug 1030744]
Comment 4 Fedora Update System 2013-11-18 21:07:46 UTC 
krb5-1.11.3-32.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-12-03 10:37:29 UTC 
krb5-1.11.3-13.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.