Bug 1816536 (CVE-2020-10595)

Summary: CVE-2020-10595 pam_krb5: incorrect input handling results in single byte buffer overflow which may lead to heap corruption
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, fdvorak, jhrozek, nalin, pkis, rharwood, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pam-krb5 4.9 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found during prompting initiated by the Kerberos library, where an attacker who enters a response exactly as long as the length of the buffer provided by the underlying Kerberos library, causes pam-krb5 to write a single null byte past the end of that buffer. This flaw results in heap corruption or a single-byte overwrite of another stack variable, with unknown consequences.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-06 22:32:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1816903    
Bug Blocks: 1816537    

Description Marian Rehak 2020-03-24 09:04:08 UTC 
During prompting initiated by the Kerberos library, an attacker who enters a response exactly as long as the length of the buffer provided by the underlying Kerberos library will cause pam-krb5 to write a single nul byte past theend of that buffer. This could result in heap corruption or a single-byte overwrite of another stack variable, with unknown consequences.
Comment 1 Huzaifa S. Sidhpurwala 2020-03-25 03:50:56 UTC 
Analysis:

As per the reporter this flaw is really difficult to exploit and may not be easy to trigger also.

1. This is just one byte overflow, so depending on how memory management is done by MIT kerberos library, with which pam_krb5 versions shipped in Red Hat Enterprise Linux and Fedora are compiled with, this overflow may very well land into the padding area and the adjacent variable may not be overwritten.

2. This flaw is triggered when prompting for password is initiated by the kerberos library. Under normal usage of this PAM module, it never does prompting initiated by the Kerberos library, and thus most configurations will not be readily
vulnerable to this bug.  Kerberos-library-initiated prompting generally only happens with the no_prompt PAM configuration option, PKINIT, or other non-password preauth mechanisms.

However this issue does not affect the versions of pam_krb5 package shipping with Red Hat Products, since the software has been highly refactored from the old sources at https://www.eyrie.org/~eagle/software/pam-krb5/
Comment 2 Huzaifa S. Sidhpurwala 2020-03-25 03:55:00 UTC 
Acknowledgments:

Name: Russ Allbery
Comment 5 Huzaifa S. Sidhpurwala 2020-03-25 04:35:03 UTC 
Statement:

This issue does not affect the versions of pam_krb5 package shipped with Red Hat Products (https://pagure.io/pam_krb5)
Comment 6 Product Security DevOps Team 2020-04-06 22:32:16 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10595
Comment 7 Huzaifa S. Sidhpurwala 2020-04-13 04:55:20 UTC 
External References:

https://www.eyrie.org/~eagle/software/pam-krb5/security/2020-03-30.html