Bug 1193939 (CVE-2014-5355)
Summary: | CVE-2014-5355 krb5: unauthenticated denial of service in recvauth_common() and others | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bbaranow, bmaxwell, cdewolf, csutherl, dandread, darran.lofthouse, dknox, dpal, drieden, fnasser, jason.greene, jawilson, jboss-set, jclere, jdoyle, jplans, kerberos-dev-list, lgao, mbabacek, myarboro, nalin, nathaniel, pgier, pkis, psakar, pslavice, rsvoboda, sbose, twalsh, vtunka, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-20 05:44:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1200906, 1204210, 1204211, 1205850 | ||
Bug Blocks: | 1179866, 1193283, 1193941, 1210268 |
Description
Vasyl Kaigorodov
2015-02-18 15:26:46 UTC
Created krb5 tracking bugs for this issue: Affects: fedora-all [bug 1200906] The problems in the recvauth_common() function appear to be the most interesting ones to us, as this function is called by the krb5_recvauth() function, which in turn is used by a few services supporting krb5 auth. An unauthenticated attacker can use this to crash a server using the krb5_recvauth() function due to e.g. NULL pointer dereference (meaning that arbitrary code execution should not be possible). In the most cases the server will probably do this in a child process, which means that only the child process will crash and the overall service should remain available, which further mitigates this vulnerability. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:0794 https://rhn.redhat.com/errata/RHSA-2015-0794.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2154 https://rhn.redhat.com/errata/RHSA-2015-2154.html |