Bug 1302642 (CVE-2015-8631)

Summary: CVE-2015-8631 krb5: Memory leak caused by supplying a null principal name in request
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, carnil, csutherl, dknox, dpal, jclere, jdoyle, jplans, j, lgao, mbabacek, myarboro, nalin, npmccallum, pkis, rharwood, sardella, slawomir, twalsh, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: krb5 1.14.1, krb5 1.13.4 Doc Type: Bug Fix
Doc Text:
A memory leak flaw was found in the krb5_unparse_name() function of the MIT Kerberos kadmind service. An authenticated attacker could repeatedly send specially crafted requests to the server, which could cause the server to consume large amounts of memory resources, ultimately leading to a denial of service due to memory exhaustion.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-01 07:07:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1302643, 1306969, 1306970, 1306973, 1306974    
Bug Blocks: 1302647    

Description Adam Mariš 2016-01-28 10:19:03 UTC 
It was reported that if krb5_unparse_name() fails, many of the stubs will leak the client and server name. In all versions of MIT krb5, an authenticated attacker can cause kadmind to leak memory by supplying a null principal name in a request which uses one. Repeating these requests will eventually cause kadmind to exhaust all available memory.

Upstream patch:

https://github.com/krb5/krb5/commit/83ed75feba32e46f736fcce0d96a0445f29b96c2
Comment 1 Adam Mariš 2016-01-28 10:19:31 UTC 
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 1302643]
Comment 4 Cedric Buissart 2016-02-16 15:18:44 UTC 
Acknowledgements:

This issue was discovered by Simo Sorce of Red Hat.
Comment 6 Tomas Hoger 2016-03-03 21:29:15 UTC 
Upstream bug report:

http://krbdev.mit.edu/rt/Ticket/Display.html?id=8343

Fixed upstream in krb5 1.14.1:

http://web.mit.edu/kerberos/krb5-1.14/krb5-1.14.1.html

The upstream bug report also indicates the issue will be fixed in 1.13.4.
Comment 7 errata-xmlrpc 2016-03-22 21:02:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0493 https://rhn.redhat.com/errata/RHSA-2016-0493.html
Comment 8 errata-xmlrpc 2016-03-31 22:03:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0532 https://rhn.redhat.com/errata/RHSA-2016-0532.html