Bug 1766920 (CVE-2019-14867)

Summary: CVE-2019-14867 ipa: Denial of service in IPA server due to wrong use of ber_scanf()
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abokovoy, dblechte, dfediuck, eedri, fdc, frenaud, ipa-maint, jcholast, jhrozek, mgoldboi, michal.skrivanek, psampaio, pvoborni, rcritten, sam, sbonazzo, security-response-team, sherold, ssorce, tscherf, twoerner, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: FreeIPA 4.6.7, FreeIPA 4.7.4, FreeIPA 4.8.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed on the server hosting the IPA server.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1767300, 1767302, 1767304, 1789681, 1767303, 1777200    
Bug Blocks: 1766921    

Description Dhananjay Arunesh 2019-10-30 09:50:01 UTC
A flaw was found in the way the internal function ber_scanf() was used in some components of the IPA server which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key, could cause the IPA server to crash or in some conditions cause arbitrary code to be executed on the server hosting the IPA server.

Comment 2 Huzaifa S. Sidhpurwala 2019-10-31 05:16:18 UTC
Technical details and analysis:

in ber_decode_krb5_key_data(), there is a call to ber_scanf to skip over unsupported sk2params:

if (retag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 2)) {
/* not supported yet, skip */
retag = ber_scanf(be, "t[x]}");
} else {

This 'ber_scanf' call is missing a '&tag' argument, meaning that it ends up overwriting memory at whatever address happens to be on the stack.

This might be a security issue since the tag that gets stored is user-controlled data, though the pointer getting stored to probably is not easy to control. 

Looking at the way pointers are arranged on the stack for this function, it may be difficult to overwrite a pointer and achieve code execution. Also the function is protected by SSP therefore RCE may be difficult to achieve.

Comment 3 Huzaifa S. Sidhpurwala 2019-10-31 05:23:19 UTC
Statement:

This flaw can be exploited by an unauthenticated attacker (PR:N) who could create a specially crafted "krbPrincipalKey" and send it to the IPA server (AV:N).  The attack is relatively easy to conduct (AC:L), since all the attacker requires is a string which is long enough to write beyond the limits of the buffer on the stack. User interaction is required for the attack (UI:N). End result in a crash in the IPA server causing denial of service or in some conditions may also result  in remote code execution with the permissions of the user running the IPA server (CIA:H).

Comment 5 Huzaifa S. Sidhpurwala 2019-11-01 10:38:49 UTC
*** Bug 1752973 has been marked as a duplicate of this bug. ***

Comment 6 Alexander Bokovoy 2019-11-26 13:55:02 UTC
Releases 4.6.7, 4.7.4, and 4.8.3 are done for FreeIPA. The release tarballs are available in https://releases.pagure.org/freeipa.

Comment 7 Huzaifa S. Sidhpurwala 2019-11-27 06:29:56 UTC
Upstream commit: https://pagure.io/freeipa/c/e11e73abc101361c0b66b3b958a64c9c8f6c608b.patch

Comment 8 Huzaifa S. Sidhpurwala 2019-11-27 06:30:00 UTC
Acknowledgments:

Name: Todd Lipcon (Cloudera)

Comment 9 Huzaifa S. Sidhpurwala 2019-11-27 06:31:04 UTC
Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 1777200]