Bug 711419 (CVE-2011-1526)

Summary: CVE-2011-1526 krb5, krb5-appl: ftpd incorrect group privilege dropping (MITKRB5-SA-2011-005)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: asanders, bressers, dpal, jplans, mjc, nalin, pmatouse, prc, security-response-team, vdanen, zmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that ftpd, a Kerberos-aware FTP server, did not properly drop privileges. On Red Hat Enterprise Linux 5, the ftpd daemon did not check for the potential failure of the krb5_setegid() function call. On systems where the set real, set effective, or set saved group ID system calls might fail, a remote FTP user could use this flaw to gain unauthorized read or write access to files that were owned by the root group.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-21 08:47:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 713341, 713342, 719095, 719098    
Bug Blocks: 712346, 742493    

Description Jan Lieskovsky 2011-06-07 13:06:19 UTC 
It was found that the kerberized FTP server did not properly check for the
failure to set its effective group identifier (GID). A remote, authenticated
FTP user could use this flaw to gain unauthorized read or write access to files
whose group owner was the initial effective GID of the FTP daemon process.

References:
[1] http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-005.txt
    (not public yet)
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1526

Upstream patch:
[3] http://web.mit.edu/kerberos/advisories/2011-005-patch.txt

Acknowledgements: 

Red Hat would like to thank the MIT Kerberos project for reporting this issue. Upstream acknowledges Tim Zingelman as the original reporter.
Comment 3 Jan Lieskovsky 2011-06-07 13:12:40 UTC 
This issue affects the versions of the krb5 package, as shipped with
Red Hat Enterprise Linux 4 and 5.

This issue affects the version of the krb5-appl package, as shipped with
Red Hat Enterprise Linux 6.

--

This issue affects the versions of the krb5-appl package, as shipped with
Fedora release of 14 and 15.
Comment 23 Tomas Hoger 2011-06-24 11:53:51 UTC 
As noted in the upstream advisory, there are 2 issues really:

First, there was problem introduced when splitting various kerberized applications out of krb5 sources to a separate krb5-appl packages.  A missing check in configure script caused krb5_setegid() to be incorrectly defined as always returning error without trying to change egid at all.

Second, the return value of krb5_setegid() was not checked, causing ftpd to not detect the problem and continue without changed effective group privileges.

Both problems combined resulted in users' ftpd sessions running with egid == 0, i.e. with root group privileges.  This problem affected Red Hat Enterprise Linux 6 and Fedora.

The krb5 versions in Red Hat Enterprise Linux 4 and 5 were only affected by the second problem.  This is still a potential problem, but without the first issue, there's no easy way to an attacker to trigger setegid failure.  We plan to address the return value checking problem in the future krb5 packages update in Red Hat Enterprise Linux 4 and 5.
Comment 28 Vincent Danen 2011-07-05 17:38:38 UTC 
Statement:

This issue was addressed in krb5-appl packages in Red Hat Enterprise Linux 6 via RHSA-2011:0920 and krb5 packages in Red Hat Enterprise Linux 5 via RHSA-2012:0306.

This issue is not planned to be addressed in Red Hat Enterprise Linux 4, where this issue was rated as having low security impact.
Comment 29 errata-xmlrpc 2011-07-05 18:18:24 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0920 https://rhn.redhat.com/errata/RHSA-2011-0920.html
Comment 30 Vincent Danen 2011-07-05 18:34:55 UTC 
Created krb5-appl tracking bugs for this issue

Affects: fedora-all [bug 719095]
Comment 32 Vincent Danen 2012-02-07 23:02:52 UTC 
IssueDescription:

It was found that ftpd, a Kerberos-aware FTP server, did not properly drop privileges. On Red Hat Enterprise Linux 5, the ftpd daemon did not check for the potential failure of the krb5_setegid() function call. On systems where the set real, set effective, or set saved group ID system calls might fail, a remote FTP user could use this flaw to gain unauthorized read or write access to files that were owned by the root group.
Comment 33 errata-xmlrpc 2012-02-21 03:19:26 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0306 https://rhn.redhat.com/errata/RHSA-2012-0306.html