RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1121789 - CVE-2014-4343: use-after-free crash in SPNEGO
Summary: CVE-2014-4343: use-after-free crash in SPNEGO
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: Patrik Kis
URL:
Whiteboard:
Depends On: 1117963
Blocks: CVE-2014-4343
TreeView+ depends on / blocked
 
Reported: 2014-07-21 21:23 UTC by Nalin Dahyabhai
Modified: 2015-03-05 10:01 UTC (History)
8 users (show)

Fixed In Version: krb5-1.12.2-7.el7
Doc Type: Release Note
Doc Text:
Clone Of: 1117963
Environment:
Last Closed: 2015-03-05 10:01:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0439 0 normal SHIPPED_LIVE Moderate: krb5 security, bug fix and enhancement update 2015-03-05 14:38:14 UTC

Description Nalin Dahyabhai 2014-07-21 21:23:29 UTC 
+++ This bug was initially created as a clone of Bug #1117963 +++

I'm trying to use firefox to authenticate to an internal web site. Like *many* internal web sites, this one doesn't have correct reverse DNS so Kerberos doesn't get the right SPN and fails to get a ticket for it.

That doesn't stop it from trying *something*, and screwing up my NTLM auth that would have succeeded....

First it sends a request with no Authorization: header, gets back a 401 with
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM


Then it sends this:Authorization: Negotiate YIIP1wYGKwYBBQUCoIIPyzCCD8egFjAUBgYrBgEFAgUGCisGAQQBgjcCAgqigg+rBIIPp2CCD6MGBisGAQUCBQUBMBahFAQSR0VSLkNPUlAuSU5URUwuQ09NbIIPfTCCD3mhAwIBBaIDAgEMo4IO/jCCDvowgg4eoQMCAQGigg4VBIIOEW6CDg0wgg4JoAMCAQWhAwIBDqIHAwUAAAAAAKOCDT1hgg05MIINNaADAgEFoRQbEkdFUi5DT1JQLklOVEVMLkNPTaInMCWgAwIBAqEeMBwbBmtyYnRndBsSR0VSLkNPUlAuSU5URUwuQ09No4IM7TCCDOmgAwIBEqEDAgEDooIM2wSCDNfbtGw91WzeppZocKMxPM6j9iV1ywUjWzxqgYrbE+lo/p8ps90ADV7VfCrFV6UJZWJjp8FNVjYpo2MA/Uj+i2jO8nR8RAOOP+iYCrDgWaGKNZsrpZeUdDQo2Iiwf8lGUrz3GG5tG1+ix7qXcngiU5iEr++8T4ArR12LF1SwRePQd0KXGwXALpu1lPg0DwVRlkOHj8RkkSgERb/mIyGzc1CNgLrKFTWqVgEys+LoI7HV/XasehCgrtU/Ep2P/cb3lfa2OYpzu21mEp0XOueEqOcxR3pGo8namZIiLY1glOa5mimJ4rvBC7Y/M9lEiMx3DyDR/ezbeZnHt64O6VoUHRaseYjNPzHFxduwZBgPRQZcplSY+g4lj38zp6TstQ81JfB10w9tMR/x8lw6JjFGXgau+etl7M9wkYx8hVf+YP5JYTiV5p3TTdRAqKSF+0JQQ+qkAGzn4bl7kwT9YzBbzUwx5q4TQKjgtH6Uk1rFFR1J5k+i8qzjptJaymXLYks+fslYEfNjqJsadi6oCji3l0+ZcHQJOYINy7B6TuBdFLe1xwZgzytxOE60znUXE+zEKGX6PUd3aCIU333fc+AcwrEL5KrkW2ieGfck1JGlcgmdI8aIIKG8biJOAWl0YuDuyyIOkSQdTcPpm6VoknUtEGdaaD7hmrlznt9r54DUYkrWdCdtHmlZlRUiNDEJIk6yu4dx1Mypa6WXlUy5N2Y3RUvy6AokMQpzEao8R3k33xskgQVnA/JIR9zAzp3fYVTI+uCQLGwFchLmlOdepXmt297gq0riVHrHIhq9M7rV9mNGuy5gUKiWYR0wSLkBSOovg5V0jigVtaaOUBfsW2mBRPdgyR697vz8GFjxQDc3D7KrK/IdaxNOe74t1oUl6VNXwGLtTAFvnn91WWnaxI2mEJkWXx7X0JlXk5LMIKOyFh0P5bcBCv17Q154q6YNHiLYrEhqMGILdprk+p/a04PDQOwxZisIhGbgamfEHOqWbxU/sPjPaip/EgOtEQrFzvaZ4w75EMFjjN4r9Lqp2yYfOftlWp+jXuHsEiV7bZT+QVsk8/SqYJIt/SKvxRVz04fzljjDgUokK7Ot6EuQrYUpQKR+AZ6KlWpx5mVCOpvvUOkaxrf0F1VvuM1cPdHTROl4quBOvKvGKagWCCfoqdpHDb7M6JM6ORjlzPXDOP6iHjd2Eo2CRYBcq0TZ5tS7Cih8Hy6Hr9S1KQa1ZFTiI0gCGxKJfBtD3W61NYVAP0PPZsNm+ecQlKDNHhO9Gyj2ub06d1PNaE2a1DCONvHvvFYi+lpW4dfX5NDt/udBVxkWmuh1iw2jHuh7u4MQmXNSglUb3CySZGDx7vf/uEZ4M+TRx8sQG1tlLItFiIEC9RC2CWAJHohOK4PykwvFS1/mWagwNRqFCXoC5294Z8ZackvWvsw8vfy0X4HVNP1G3zSt62cQ3PteWuiTJmRe/687xMbsxkiElk9p1PMQYkQ7093CU7OLV/Zp7eh4QoM+/QajOVJRZ+y9VlOLO3GiU0Lt5gEdwa0ewFW/NnvpdxSBEpihAk0jAFCiTjYQRkxKzsynpeZ3VchknuicI62wGiH2SlNgtaGdmByoahWdEQQ6725IcTGvoJh1H/lzwWlDh3QSHXVxf0Km8bOQas35a9Vk7bLObW0kiaKchZgkeVjbpHWNzdNmqYFElj4Itokhtp8yLBdVavRHk0H3tuKUjDMceRruRlCH8d0o48G/C8dsv9uUoWy/jF2/0HxIOelJKtAPDwasUMa+hfbW0aoUBOuco4DkBgzH8YqygBcyCfnp0+NLGqGoe8PWLfV2HDU9DS+22O9oEZ7Zu3sddkS3QhE4B1cTimUFWtfgRGRv3EJj+0U/MKmSBkjh/uZHkQEdcva6dNqXG776qb1i5nTMcmtmdWpquUUzdeTcLtuf+e/+Zl3+oHNcv0+3OuYqtNg6GwsMxu45YdsEQs2F5Q0k2A2uIRwJ0Mh4bT+bP/KaA+lOBspUQc2j3q1UVCoVAL/4QieKEeMcg29sWm7YsQ2k5HEyzC4MhDE5idwTsMcTGf8wyqAXnMmf8i7dDtraYSuUUqogKAdowOyzVtQaBoz2XuiGQ2hhwoo9fjV9oKP6JAyhRC64xQCLeNGDvk0iR7zosaCIE+mz2nbDSCn8YOKmomkBxPVCSnqlqrqItdD2z+ZzhoeQhckkfYMk1jWgnZ6ROnxLnCqj8kIyb2M50igMwq7YMvDIBJWAJAHXoXlSkyUv97YnsfGchD9aJmf9o0Yky35/1cxWaWVk3Bj1nKQVm4Vt8KcaDtIxZ7xAZCx7OlTIJph/d5DLCIeYLuXHRVoMNTqwdoWATjbmY/Ww+DDKCCZuEJ6JocD5IEXrOJADYF5VsClZZQr1UnAtYPNXhyW7eZg6IKcEzE470/daY9TZ3m+1sOMdqOdOActopZ2XS33KLJltIx7WcSJm5BaBVq1PeswB9M8NrHr7jKfyv7jQltR2m3s8XcQpUYdvaO9gAvMqrRbYsu3Lb2abj7TcLo8b44MNYO4YX0kdsIzyxJ6KJczMg4QEch59eOfRRy2IWjHJcBcji58O5hlPIcdKP+WA+THN+GPMhFFa7XGBw/TrVjeAkn1yDoeKkwM2+eeNNj7pOw6tT3Hib1A/EKhkSJoAkKp0RB4tNNYwekEfuDsbvG4EUhk2hGsgXzyuSF1TJu9mKxopBMI/oS1CjzwQPhCMfgNXGFGbfqVSkWeDEYBovsj6+NbJUUJOUXn663P9i45Mg3MAMTAIjyHXBzYd1sZIIqypbFPfzpovA8vKWPkNdKf6wGuEYLY7VVSnNaVzsCtzuL/x2l6thtbIRkrSFlRP1JWoIaw4X7Hj1GTGeoCOZBfnQZT8AnkLVWI0Osj+rRAnxKQVNy6DWPhADrsjA6G+u7ZSCPmRqgC3YBLNq/A2nEjISCcVE9rEW/wTctUJqk3OU0quexffElIyWPSNLvUC3J2xPkBCVSxlCTdpefZzWkU/HAmSKMD+8HbKSVwp+tjSyohUjEEBZ+7yg/3gFZ6cfPcsqp9ScLwNlmbFR3OWJWrhTQpGH8NeanL4cxE7axnlA03Ds5Kw8696vPjI3umsPIdgzds8kNtOlCaN2R58yQ1f+NRQ6Huad3q77shBDgzVIGJyC1RjWrVm2eurVMxfhGe9dKKEizw9w5hYRI8zRfJhR27YA+8nle4ho980BgWQvjXC/lW1IswG4s4GWxN2aR76sBdUUeE1bFwUtfgo5ni2dOcjJttGk0G8T3Ne8oIAoLqhp470P0ny1Ji+WkeEYHE3quFlyT0YsPDAuBmUb265fZFM68+UDNCg6n2GhAPA3Mdf5xbCuzkTWlkqIxQYFf0HUnprH/9c91r9snhnIjx0/YU0LJ/Zqw9yWSPtzC/+KV4yx+K/oEAMoPiFDbdQw3L/KU4VgxeS4dF6+n1ZkzqLUaT1vXFMvXSlvH0yS8YGltFcX5sH9/ng/SgVC5dU+PXnl/VQvwSgH3RksPY/58O8INqsK7KvU/l0B8W06oXg5YatKtJLWUvcTa2ydKbD/gGRLiU6WYMSc8uNG5raPpbs7Zw1w5uJIH8ww+SvAW3SX9LLrm1dfiO4Nyabt9L0680DQlFTAFTJ4k2KewFRI5W2GrlGdPJ4oW8M7ybcdAi99thHuAaTNAuUnJPzjjGJPVWbYw+hIIX/1ss9xVhDdABuwO665feNTQF1PsTLjgdyEyo9gi7hGfNxIu8kYwlTrfH/VEzNQ4jEE0oRQ003Ndytl8T8HcKBwNGLozHiKAozvoJ+bJXqLK4uIAyFB9HkEIk4yxO00NKtL9GyiSgJncT5ZOQwHO27u5WWj6iMrnIEUn00mLM81+Qy9IxVuceI0UMnnYoiv0cLCFkaE9ymt2jYbxK55Oezu0WAAp2QgfNkSJtduTMOOf3l7xLRhbL58MOPJSWCKIk99pZdk4rszh4vtS7MhJRTAf/hVT6c91fIese8eUdRQyk3L4LiBf99Y77cJq7/GmZY/uyJrTpARsQITqgNDYC4pRVUT6pD/sDz1rkGQ/Q5VB0ZdfMmVgeXNO2iPXKe4luj+TK+yfGxCu/AynLjMjFHVFoJvox9G/l1yPXJb74YKJ8CYgJNSD9TrZ6RDlcep7maPdoSpM0UD5q5jsek7tMkmelwf0cnkpIFXg4II7Kt7DTaJBzR9Une8fXnTA58qn20d1QBn7Ss195Q4XvvAbUKn8praovJ4Vg5fAtQCMUkjT6pF3Ro7sD1d4n6TL11c0XrByZWHBqZKrPq+Id3PD1SV1yeFr6x1Z4UNa0Iem49dy67oA5KOOfvNK9t5iC3wmJE+j5Mytc1GMBuV4fuEPmsxpAzcaqlaRy/CinIZoAnD0lH7pSJnKSBsjCBr6ADAgEXooGnBIGkgmnTkGllzZBFGWV3pWc98ZBGjB++DfhR7hrUQkHaqnMfesVwHUK8hQgKsym35KWZy8klVyZB/ge3sUhKJl6a0hzaRsSsNExSh9dghKUPBd0KZ8pZ1oTzj4p7HZyxUVaKURiA7I3z+s3ZCvYDS/vnettKwIqkheHRUfB2lbpGgTDYr4EBtO+VgIaYTTyF3VT9ws2+UrZGODyFl/uiyrk1Q3P/b94wgdWhBAICAIiigcwEgcmggcYwgcOhHDAaoAQCAv92oRIEENADzN17cScXJnKzdJyjGBCigaIwgZ+gAwIBF6KBlwSBlIIMyrP7cBbJSj1HU7FXB6OJ6ma0zfFHMFcbqgkFEFF80jCR3l5dBqowhICpHABMiONBF3otaGqffIwxI7SBvBB3S4M8K8eMC4Qjxqj77+qKqGgd14+bre3ryM1qN58szG+FQIBqAS9dwWpE1LMQsp5Lk+IQLMZ/3NPPjwx6iePRerY5+E/4pjJHkCIXvGdrc0QB2n2kazBpoAcDBQBAgQAAohQbEkdFUi5DT1JQLklOVEVMLkNPTaMgMB6gAwIBA6EXMBUbBEhUVFAbDW90cC5pbnRlbC5jb22lERgPMjAxNDA3MTAwMzE3MDhapwYCBFO9eUSoCzAJAgEXAgEDAgEB

...and gets a 401 back with this:

WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo=


If I 'kdestroy' and try again, authentication works just fine with NTLM (via gss-ntlmssp):

Authorization: Negotiate YFEGBisGAQUFAqBHMEWgDjAMBgorBgEEAYI3AgIKojMEMU5UTE1TU1AAAQAAABWyCKADAAMAIAAAAA4ADgAjAAAAR0VSRFdPT0RIT1UtTElOVVg=
WWW-Authenticate: Negotiate oYIBHDCCARigAwoBAaEMBgorBgEEAYI3AgIKooIBAQSB/k5UTE1TU1AAAgAAAAYABgA4AAAAFYKJor3g82gBoEOnAAAAAAAAAADAAMAAPgAAAAYAchcAAAAPQQBNAFIAAgAGAEEATQBSAAEAGABGAE0AUwBQAFMATQBTAE8AVABQADAAMwAEACQAYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0AAwA+AEYATQBTAFAAUwBNAFMATwBUAFAAMAAzAC4AYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0ABQAcAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAHAAgAy44uzpmbzwEAAAAA
Authorization: Negotiate oYIBhzCCAYOgAwoBAaKCAXoEggF2TlRMTVNTUAADAAAAGAAYAEAAAADsAOwAWAAAAAYABgBEAQAAEAAQAEoBAAAcABwAWgEAAAAAAAB2AQAAFbKJoqmg54V6175b3F8hAp4O98G18JGf7OmnH1KOzKkxo6efI32UX5QveQQBAQAAAAAAAICNRc6Zm88BMnur5cIRXIAAAAAAAgAGAEEATQBSAAEAGABGAE0AUwBQAFMATQBTAE8AVABQADAAMwAEACQAYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0AAwA+AEYATQBTAFAAUwBNAFMATwBUAFAAMAAzAC4AYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0ABQAcAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAHAAgAy44uzpmbzwEAAAAARwBFAFIAZAB3AG8AbwBkAGgAbwB1AEQAVwBPAE8ARABIAE8AVQAtAEwASQBOAFUAWAA=


Quite why firefox doesn't try actual NTLM auth (as opposed to NTLM-in-SPNEGO) after GSSAPI auth fails, I don't know. That should have worked too.

--- Additional comment from David Woodhouse on 2014-07-10 03:24:59 EDT ---

Is there a way to easily use wireshark's dissectors (or something else) to interpret SPNEGO packets? Other than faking a real Ethernet packet capture of an HTTP exchange by using 'nc' and 'nc -l'...

The first request is:
    [truncated] Authorization: Negotiate YIIP1wYGKwYBBQUCoIIPyzCCD8egF...
        GSS-API Generic Security Service Application Program Interface
            OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
            Simple Protected Negotiation
                negTokenInit
                    mechTypes: 2 items
                        MechType: 1.3.6.1.5.2.5 (iso.3.6.1.5.2.5)
                        MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
                    mechToken: 60820fa306062b060105020505013016a11404124745522e...


The response from the server (after which we give up) is:

    WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo=\r\n
        GSS-API Generic Security Service Application Program Interface
            Simple Protected Negotiation
                negTokenTarg
                    negResult: Unknown (3)
                    supportedMech: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)

It's *telling* us to try NTLMSSP. Why didn't we?

That 'unknown' negResult is, if I'm reading RFC4178 correctly, 'request-mic'. Is that the problem? I see recent changes in gssntlmssp and krb5 to handle MIC generation...

(Simo, note that I'm testing this with the unhacked package in Fedora and $NTLM_USER_FILE set; not my patches to make it use winbind which don't support MIC generation).

--- Additional comment from David Woodhouse on 2014-07-10 13:18:38 EDT ---

Fixed (slightly unexpectedly) by http://david.woodhou.se/krb5-fix-spnego-double-free.patch

In trying to reproduce, I could only get a crash in gss_delete_sec_context(). And once that was fixed, so was this.

--- Additional comment from David Woodhouse on 2014-07-14 11:31:46 EDT ---

==31436== Invalid free() / delete / delete[] / realloc()
==31436==    at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31436==    by 0x3AE900D6A7: generic_gss_release_oid_set (gssapi_alloc.h:93)
==31436==    by 0x3AE903775F: release_spnego_ctx (spnego_mech.c:2895)
==31436==    by 0x3AE9037830: spnego_gss_delete_sec_context (spnego_mech.c:2164)
==31436==    by 0x3AE9012292: gss_delete_sec_context (g_delete_sec_context.c:90)
==31436==  Address 0x4fb55a0 is 0 bytes inside a block of size 9 free'd
==31436==    at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31436==    by 0x3AE900C881: generic_gss_release_oid (oid_ops.c:102)
==31436==    by 0x3AE903BE85: spnego_gss_init_sec_context (spnego_mech.c:792)
==31436==    by 0x3AE90154CA: gss_init_sec_context (g_init_sec_context.c:210)

http://mailman.mit.edu/pipermail/krbdev/2014-July/012079.html

--- Additional comment from Fedora Update System on 2014-07-17 11:37:05 EDT ---

krb5-1.11.5-9.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/FEDORA-2014-8189/krb5-1.11.5-9.fc20

--- Additional comment from Fedora Update System on 2014-07-17 11:40:02 EDT ---

krb5-1.11.3-23.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/FEDORA-2014-8176/krb5-1.11.3-23.fc19

--- Additional comment from Fedora Update System on 2014-07-19 01:54:52 EDT ---

Package krb5-1.11.3-23.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing krb5-1.11.3-23.fc19'
as soon as you are able to, then reboot.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-8176/krb5-1.11.3-23.fc19
then log in and leave karma (feedback).
Comment 4 errata-xmlrpc 2015-03-05 10:01:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0439.html
Note You need to log in before you can comment on or make changes to this bug.