Bug 1030743 - (CVE-2013-1417) CVE-2013-1417 krb5: KDC null deref due to referrals
CVE-2013-1417 krb5: KDC null deref due to referrals
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130621,repor...
: Security
Depends On: 1030744 1030745
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-14 23:03 EST by Vincent Danen
Modified: 2016-03-04 06:53 EST (History)
8 users (show)

See Also:
Fixed In Version: krb5 1.11.4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-29 09:45:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-11-14 23:03:44 EST
From the upstream commit [1]:

An authenticated remote client can cause a KDC to crash by making a
valid TGS-REQ to a KDC serving a realm with a single-component name.
The process_tgs_req() function dereferences a null pointer because an
unusual failure condition causes a helper function to return success.

While attempting to provide cross-realm referrals for host-based
service principals, the find_referral_tgs() function could return a
TGS principal for a zero-length realm name (indicating that the
hostname in the service principal has no known realm associated with
it).

Subsequently, the find_alternate_tgs() function would attempt to
construct a path to this empty-string realm, and return success along
with a null pointer in its output parameter.  This happens because
krb5_walk_realm_tree() returns a list of length one when it attempts
to construct a transit path between a single-component realm and the
empty-string realm.  This list causes a loop in find_alternate_tgs()
to iterate over zero elements, resulting in the unexpected output of a
null pointer, which process_tgs_req() proceeds to dereference because
there is no error condition.

Add an error condition to find_referral_tgs() when
krb5_get_host_realm() returns an empty realm name.  Also add an error
condition to find_alternate_tgs() to handle the length-one output from
krb5_walk_realm_tree().

The vulnerable configuration is not likely to arise in practice.
(Realm names that have a single component are likely to be test
realms.)  Releases prior to krb5-1.11 are not vulnerable.

[1] https://github.com/krb5/krb5/commit/4c023ba43c16396f0d199e2df1cfa59b88b62acc
Comment 1 Vincent Danen 2013-11-14 23:05:42 EST
This only affects Fedora 19 as Fedora 18 ships with an older version (pre 1.11.x).


Statement:

Not vulnerable. This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 3 Vincent Danen 2013-11-14 23:06:47 EST
Created krb5 tracking bugs for this issue:

Affects: fedora-19 [bug 1030744]
Comment 4 Fedora Update System 2013-11-18 16:07:46 EST
krb5-1.11.3-32.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-12-03 05:37:29 EST
krb5-1.11.3-13.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.