Bug 2230178 (CVE-2023-36054)

Summary: CVE-2023-36054 krb5: Denial of service through freeing uninitialized pointer
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acrosby, adudiak, agarcial, aoconnor, asegurap, asoldano, bbaranow, bdettelb, bmaxwell, brian.stansberry, caswilli, cdewolf, chazlett, darran.lofthouse, dkreling, dkuc, dosoudil, fjansen, fjuma, hkataria, ivassile, iweiss, jburrell, jmitchel, jplans, jrische, jsamir, jsherril, jtanner, kaycoth, kshier, lgao, mosmerov, msochure, mstefank, msvehla, nalin, nwallace, nweather, pjindal, pmackay, psegedy, rstancel, smaestri, stcannon, sthirugn, tcarlin, tom.jenkinson, vkrizan, vmugicag, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: krb5 1.20.2, krb5 1.21.1 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the _xdr_kadm5_principal_ent_rec() function in lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (krb5). This issue occurs due to lack of validation in the relationship between n_key_data and the key_data array count, leading to the freeing of uninitialized pointers. This may allow a remote authenticated attacker to send a specially crafted request that causes the kadmind process to crash, resulting in a denial of service (DoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2229113, 2230179, 2230181, 2230182    
Bug Blocks: 2230180    

Description Pedro Sampaio 2023-08-08 20:17:11 UTC 
lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

References:

https://web.mit.edu/kerberos/www/advisories/
https://github.com/krb5/krb5/compare/krb5-1.20.1-final...krb5-1.20.2-final
https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd
https://github.com/krb5/krb5/compare/krb5-1.21-final...krb5-1.21.1-final
Comment 1 Pedro Sampaio 2023-08-08 20:17:41 UTC 
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 2230179]
Comment 7 errata-xmlrpc 2023-11-07 08:22:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6699 https://access.redhat.com/errata/RHSA-2023:6699