Bug 1302632 (CVE-2015-8630)

Summary: CVE-2015-8630 krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abokovoy, csutherl, dknox, dpal, jclere, jdoyle, jplans, j, lgao, mbabacek, myarboro, nalin, npmccallum, pkis, rharwood, sardella, slawomir, twalsh, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: krb5 1.14.1, krb5 1.13.4 Doc Type: Bug Fix
Doc Text:
A NULL pointer dereference flaw was found in the procedure used by the MIT Kerberos kadmind service to store policies: the kadm5_create_principal_3() and kadm5_modify_principal() function did not ensure that a policy was given when KADM5_POLICY was set. An authenticated attacker with permissions to modify the database could use this flaw to add or modify a principal with a policy set to NULL, causing the kadmind service to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-01 07:07:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1302633, 1306969, 1306970    
Bug Blocks: 1302647    

Description Adam Mariš 2016-01-28 10:12:51 UTC 
It was reported that in MIT krb5 1.12 and later, an authenticated attacker with permission to modify a principal entry can cause kadmind to dereference a null pointer by supplying a null policy value but including KADM5_POLICY in the mask.

Upstream patch:

https://github.com/krb5/krb5/commit/b863de7fbf080b15e347a736fdda0a82d42f4f6b
Comment 1 Adam Mariš 2016-01-28 10:13:22 UTC 
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 1302633]
Comment 6 Tomas Hoger 2016-03-03 21:29:12 UTC 
Upstream bug report:

http://krbdev.mit.edu/rt/Ticket/Display.html?id=8342

Fixed upstream in krb5 1.14.1:

http://web.mit.edu/kerberos/krb5-1.14/krb5-1.14.1.html

The upstream bug report also indicates the issue will be fixed in 1.13.4.
Comment 7 errata-xmlrpc 2016-03-31 22:03:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0532 https://rhn.redhat.com/errata/RHSA-2016-0532.html