Bug 838014 (CVE-2012-1014)

Summary: CVE-2012-1014 krb5: KDC daemon crash via de-reference of an uninitialized pointer
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dpal, jlieskov, jplans, jrusnack, nalin, security-response-team, sgadekar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-05 16:59:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 844779    
Bug Blocks: 838017    

Description Huzaifa S. Sidhpurwala 2012-07-06 06:41:46 UTC 
The MIT krb5 KDC daemon can dereference an uninitialized pointer while processing a malformed AS-REQ, causing the daemon to abnormally terminate. This vulnerability could theoretically lead to the execution of malicious code, but that is believed to be very difficult.

The KDC in releases krb5-1.10 and later is vulnerable to this flaw.

Reference: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txt
Patch: http://web.mit.edu/kerberos/advisories/2012-001-patch.txt

Acknowledgements:
Red Hat would like to thank the MIT Kerberos project for reporting this issue. Upstream acknowledges Emmanuel Bouillon (NCI Agency) as the original reporter of the flaw.
Comment 3 Huzaifa S. Sidhpurwala 2012-07-06 08:28:48 UTC 
Looking at the patch in the advisory, it seems that in function process_as_req(), the affected code segment does not exists before version 1.10.x

The vulnerable code segment is:

    state = malloc(sizeof(*state));
    ...
    state->session_key.contents = 0;
    state->enc_tkt_reply.authorization_data = NULL;
    ...

All members of struct pointed by state are set to 0, except state->inner_body, which is a pointer to a krb5_data object. An error condition in process_as_req(), results in the control being passed to the error handler, which de-references it, and hence causes a crash.
Comment 4 Huzaifa S. Sidhpurwala 2012-07-06 08:29:40 UTC 
This issue does not affect the version of krb5 package as shipped with Fedora-16. 

This issue affects the version of krb5 package as shipped with Fedora-17.
Comment 5 Huzaifa S. Sidhpurwala 2012-07-06 08:30:46 UTC 
Statement:

Not Vulnerable. This issue does not affect the version of krb5 package as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 7 Vincent Danen 2012-07-31 18:24:57 UTC 
External Reference:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txt
Comment 8 Vincent Danen 2012-07-31 18:28:59 UTC 
Created krb5 tracking bugs for this issue

Affects: fedora-17 [bug 844779]