Bug 1766920 (CVE-2019-14867)

Summary: CVE-2019-14867 ipa: Denial of service in IPA server due to wrong use of ber_scanf()
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abokovoy, dblechte, dfediuck, eedri, fdc, frenaud, ipa-maint, jcholast, jhrozek, mgoldboi, michal.skrivanek, psampaio, pvoborni, rcritten, sam, sbonazzo, security-response-team, sherold, ssorce, tscherf, twoerner, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: FreeIPA 4.6.7, FreeIPA 4.7.4, FreeIPA 4.8.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed on the server hosting the IPA server.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-04 20:09:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1767300, 1767302, 1767303, 1767304, 1777200, 1789681    
Bug Blocks: 1766921    

Description Dhananjay Arunesh 2019-10-30 09:50:01 UTC 
A flaw was found in the way the internal function ber_scanf() was used in some components of the IPA server which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key, could cause the IPA server to crash or in some conditions cause arbitrary code to be executed on the server hosting the IPA server.
Comment 2 Huzaifa S. Sidhpurwala 2019-10-31 05:16:18 UTC 
Technical details and analysis:

in ber_decode_krb5_key_data(), there is a call to ber_scanf to skip over unsupported sk2params:

if (retag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 2)) {
/* not supported yet, skip */
retag = ber_scanf(be, "t[x]}");
} else {

This 'ber_scanf' call is missing a '&tag' argument, meaning that it ends up overwriting memory at whatever address happens to be on the stack.

This might be a security issue since the tag that gets stored is user-controlled data, though the pointer getting stored to probably is not easy to control. 

Looking at the way pointers are arranged on the stack for this function, it may be difficult to overwrite a pointer and achieve code execution. Also the function is protected by SSP therefore RCE may be difficult to achieve.
Comment 3 Huzaifa S. Sidhpurwala 2019-10-31 05:23:19 UTC 
Statement:

This flaw can be exploited by an unauthenticated attacker (PR:N) who could create a specially crafted "krbPrincipalKey" and send it to the IPA server (AV:N).  The attack is relatively easy to conduct (AC:L), since all the attacker requires is a string which is long enough to write beyond the limits of the buffer on the stack. User interaction is required for the attack (UI:N). End result in a crash in the IPA server causing denial of service or in some conditions may also result  in remote code execution with the permissions of the user running the IPA server (CIA:H).
Comment 5 Huzaifa S. Sidhpurwala 2019-11-01 10:38:49 UTC 
*** Bug 1752973 has been marked as a duplicate of this bug. ***
Comment 6 Alexander Bokovoy 2019-11-26 13:55:02 UTC 
Releases 4.6.7, 4.7.4, and 4.8.3 are done for FreeIPA. The release tarballs are available in https://releases.pagure.org/freeipa.
Comment 7 Huzaifa S. Sidhpurwala 2019-11-27 06:29:56 UTC 
Upstream commit: https://pagure.io/freeipa/c/e11e73abc101361c0b66b3b958a64c9c8f6c608b.patch
Comment 8 Huzaifa S. Sidhpurwala 2019-11-27 06:30:00 UTC 
Acknowledgments:

Name: Todd Lipcon (Cloudera)
Comment 9 Huzaifa S. Sidhpurwala 2019-11-27 06:31:04 UTC 
Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 1777200]
Comment 10 Huzaifa S. Sidhpurwala 2019-11-27 06:32:20 UTC 
External References:

https://www.freeipa.org/page/Releases/4.6.7
https://www.freeipa.org/page/Releases/4.7.4
https://www.freeipa.org/page/Releases/4.8.3
Comment 12 errata-xmlrpc 2020-02-04 19:32:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0378 https://access.redhat.com/errata/RHSA-2020:0378
Comment 13 Product Security DevOps Team 2020-02-04 20:09:39 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14867
Comment 16 errata-xmlrpc 2020-04-01 09:29:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:1269 https://access.redhat.com/errata/RHSA-2020:1269