Bug 1179857 (CVE-2014-9421)

Summary: CVE-2014-9421 krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbaranow, bmaxwell, cdewolf, csutherl, dandread, darran.lofthouse, dpal, gnaik, grocha, jason.greene, jawilson, jboss-set, jclere, jdoyle, jplans, lgao, myarboro, nalin, pgier, pkis, psakar, pslavice, rsvoboda, security-response-team, twalsh, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, using specially crafted XDR packets.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-04 08:48:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1181208, 1182882, 1182883, 1188869    
Bug Blocks: 1121513, 1179866    

Description Vasyl Kaigorodov 2015-01-07 16:39:43 UTC 
Upstream reports that if the MIT krb5 kadmind daemon receives invalid XDR
data from an authenticated user, it may perform use-after-free and
double-free memory access violations while cleaning up the partial
deserialization results.  Other libgssrpc server applications may also
be vulnerable if they contain insufficiently defensive XDR functions.

An authenticated attacker could cause kadmind or other
vulnerable server application to crash or to execute arbitrary code.
Exploiting a double-free event to execute arbitrary code is believed
to be difficult.

libgssrpc applications use the XDR serialization format.  XDR data is
serialized, deserialized, and freed using an application function,
often generated by the rpcgen command.  If an application receives
incorrectly serialized data from the client, the XDR function will
return false to report a deserialization failure, perhaps leaving
behind partial deserialization results.  To avoid a memory leak, these
partial results must be freed with another invocation of the XDR
function.

In a server application, this cleanup is performed automatically by
svc_getargs().  If the AUTH_GSSAPI authentication flavor is used, the
cleanup is also erroneously performed by the internal unwrap function,
so the XDR function is invoked twice to clean up the partial results.

XDR functions can be defensive about being invoked twice for cleanup
by assigning pointer values to NULL after freeing them.  Most XDR
functions do this, but the XDR functions within libkadm5 for principal
names and tag-length data do not.  When these functions are invoked
twice by libgssrpc to clean up a value, the second invocations perform
use-after-free and double-free memory access violations.  These XDR
functions are only exposed to an authenticated attacker.  This
vulnerability could theoretically lead to the execution of malicious
code, but that is believed to be difficult.

Client applications are not believed to be vulnerable because
clnt_call() and client stub functions do not free partial
deserialization results.

Suggested patch to fix this vulnerability as well as 
CVE-2014-5352, CVE-2014-9422 and CVE-2014-9423 is attached to https://bugzilla.redhat.com/show_bug.cgi?id=1179856
Comment 1 Vasyl Kaigorodov 2015-01-07 17:03:11 UTC 
Acknowledgements:

Red Hat would like to thank the MIT Kerberos project for reporting this issue.
Comment 2 Vasyl Kaigorodov 2015-01-12 15:17:42 UTC 
According to MIT, kadmind is vulnerable in all released versions of MIT krb5. Third-party server applications using libgssrpc are vulnerable if they enable the AUTH_GSSAPI authentication flavor and contain insufficiently defensive XDR functions
Comment 5 Vincent Danen 2015-02-03 21:18:29 UTC 
External References:

http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2015-001.txt
Comment 6 Vincent Danen 2015-02-03 21:38:25 UTC 
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 1188869]
Comment 7 Tomas Hoger 2015-02-04 19:41:55 UTC 
Upstream commit:

https://github.com/krb5/krb5/commit/a197e92349a4aa2141b5dff12e9dd44c2a2166e3
Comment 8 Vasyl Kaigorodov 2015-03-02 09:17:24 UTC 
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 9 errata-xmlrpc 2015-03-05 10:01:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0439 https://rhn.redhat.com/errata/RHSA-2015-0439.html
Comment 11 Fedora Update System 2015-03-09 08:18:20 UTC 
krb5-1.11.5-18.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2015-03-12 16:33:42 UTC 
krb5-1.12.2-14.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 errata-xmlrpc 2015-04-09 05:09:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:0794 https://rhn.redhat.com/errata/RHSA-2015-0794.html