Bug 636335 (CVE-2010-1322)

Summary: CVE-2010-1322 krb5: KDC uninitialized pointer crash in authorization data handling (MITKRB5-SA-2010-006)
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dpal, jplans, nalin, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-11 08:10:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 636336, 636337    
Bug Blocks:    

Description Vincent Danen 2010-09-21 22:40:30 UTC 
When the MIT krb5 KDC receives certain Kerberos TGS request messages, it may dereference an uninitialized pointer while processing authorization data, causing a crash, or in rare cases, unauthorized information disclosure, ticket modification, or execution of arbitrary code.  The crash may be triggered by legitimate requests.

This is an implementation vulnerability in MIT krb5, and not a vulnerability in the Kerberos protocol.

An authenticated remote attacker can cause the MIT krb5 KDC process to crash, resulting in a denial of service.  In rare cases, the attacker can theoretically induce unauthorized information disclosure, ticket modification, or the execution of arbitrary code.

The denial of service may be triggered by legitimate requests produced by Windows Active Directory clients.  No exploit code is known to exist that would cause information disclosure, ticket modification, or arbitrary code execution.

This vulnerability only exists in krb5-1.8 through to version 1.8.3; the affected code did not exist in earlier versions of krb5.  It has been corrected in the 1.8.4 release.

The patch is available at: http://web.mit.edu/kerberos/advisories/2010-006-patch.txt

The upstream advisory will be available at http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-006.txt

Acknowledgements:

Red Hat would like to thank the MIT Kerberos Team for reporting this issue. Upstream acknowledges Mike Roszkowski as the original reporter.
Comment 2 Vincent Danen 2010-09-21 22:45:15 UTC 
This does not affect Red Hat Enterprise Linux 3, 4, or 5, nor does it affect Fedora (all provide versions of krb5 1.7.x or earlier, which does not contain the vulnerable code).  It does affect Red Hat Enterprise Linux 6.
Comment 5 Vincent Danen 2010-09-21 22:55:44 UTC 
The upstream provided patch:

diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index b5de64d..cc44e29 100644
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -495,7 +495,7 @@ merge_authdata (krb5_context context,
                 krb5_boolean copy,
                 krb5_boolean ignore_kdc_issued)
 {
-    size_t i, nadata = 0;
+    size_t i, j, nadata = 0;
     krb5_authdata **authdata = *out_authdata;

     if (in_authdata == NULL || in_authdata[0] == NULL)
@@ -529,16 +529,16 @@ merge_authdata (krb5_context context,
         in_authdata = tmp;
     }

-    for (i = 0; in_authdata[i] != NULL; i++) {
+    for (i = 0, j = 0; in_authdata[i] != NULL; i++) {
         if (ignore_kdc_issued &&
             is_kdc_issued_authdatum(context, in_authdata[i], 0)) {
             free(in_authdata[i]->contents);
             free(in_authdata[i]);
         } else
-            authdata[nadata + i] = in_authdata[i];
+            authdata[nadata + j++] = in_authdata[i];
     }

-    authdata[nadata + i] = NULL;
+    authdata[nadata + j] = NULL;

     free(in_authdata);
Comment 6 Tomas Hoger 2010-10-05 20:08:51 UTC 
Public now via:
  http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2010-006.txt
Comment 7 errata-xmlrpc 2010-11-10 18:51:27 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0863 https://rhn.redhat.com/errata/RHSA-2010-0863.html
Comment 8 Vincent Danen 2010-11-15 18:05:00 UTC 
Statement:

This issue did not affect Red Hat Enterprise Linux 3, 4, or 5.  It was addressed in Red Hat Enterprise Linux 6 via https://rhn.redhat.com/errata/RHSA-2010-0863.html.