Bug 1361050 (CVE-2016-3120)

Summary: CVE-2016-3120 krb5: S4U2Self KDC crash when anon is restricted
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abokovoy, bbaranow, bmaxwell, cdewolf, csutherl, dandread, darran.lofthouse, dkholia, dosoudil, dpal, fnasser, gzaronik, jason.greene, jawilson, jboss-set, jclere, jdoyle, jplans, jshepherd, lgao, mbabacek, myarboro, nalin, npmccallum, pgier, pkis, psakar, pslavice, rharwood, rnetuka, rsvoboda, sardella, slawomir, tibbs, twalsh, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a null pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-06 04:20:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1361051, 1361504    
Bug Blocks: 1323912, 1361052    

Description Adam Mariš 2016-07-28 09:19:46 UTC
It was found that in MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc to dereference a null pointer if the restrict_anonymous_to_tgt option is set to true, by making an S4U2Self request.

Upstream patch:

https://github.com/krb5/krb5/commit/93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7

Comment 1 Adam Mariš 2016-07-28 09:20:20 UTC
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 1361051]

Comment 3 Fedora Update System 2016-08-01 16:23:05 UTC
krb5-1.14.1-8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2016-08-31 12:21:45 UTC
krb5-1.14.3-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2016-09-01 18:50:23 UTC
krb5-1.14.3-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 errata-xmlrpc 2016-11-03 20:25:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2591 https://rhn.redhat.com/errata/RHSA-2016-2591.html