Bug 1179857 (CVE-2014-9421) - CVE-2014-9421 krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)
Summary: CVE-2014-9421 krb5: kadmind doubly frees partial deserialization results (MIT...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-9421
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1181208 1182882 1182883 1188869
Blocks: 1121513 1179866
TreeView+ depends on / blocked
 
Reported: 2015-01-07 16:39 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:50 UTC (History)
27 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, using specially crafted XDR packets.
Clone Of:
Environment:
Last Closed: 2015-11-04 08:48:11 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0439 0 normal SHIPPED_LIVE Moderate: krb5 security, bug fix and enhancement update 2015-03-05 14:38:14 UTC
Red Hat Product Errata RHSA-2015:0794 0 normal SHIPPED_LIVE Moderate: krb5 security update 2015-04-09 09:09:12 UTC

Description Vasyl Kaigorodov 2015-01-07 16:39:43 UTC
Upstream reports that if the MIT krb5 kadmind daemon receives invalid XDR
data from an authenticated user, it may perform use-after-free and
double-free memory access violations while cleaning up the partial
deserialization results.  Other libgssrpc server applications may also
be vulnerable if they contain insufficiently defensive XDR functions.

An authenticated attacker could cause kadmind or other
vulnerable server application to crash or to execute arbitrary code.
Exploiting a double-free event to execute arbitrary code is believed
to be difficult.

libgssrpc applications use the XDR serialization format.  XDR data is
serialized, deserialized, and freed using an application function,
often generated by the rpcgen command.  If an application receives
incorrectly serialized data from the client, the XDR function will
return false to report a deserialization failure, perhaps leaving
behind partial deserialization results.  To avoid a memory leak, these
partial results must be freed with another invocation of the XDR
function.

In a server application, this cleanup is performed automatically by
svc_getargs().  If the AUTH_GSSAPI authentication flavor is used, the
cleanup is also erroneously performed by the internal unwrap function,
so the XDR function is invoked twice to clean up the partial results.

XDR functions can be defensive about being invoked twice for cleanup
by assigning pointer values to NULL after freeing them.  Most XDR
functions do this, but the XDR functions within libkadm5 for principal
names and tag-length data do not.  When these functions are invoked
twice by libgssrpc to clean up a value, the second invocations perform
use-after-free and double-free memory access violations.  These XDR
functions are only exposed to an authenticated attacker.  This
vulnerability could theoretically lead to the execution of malicious
code, but that is believed to be difficult.

Client applications are not believed to be vulnerable because
clnt_call() and client stub functions do not free partial
deserialization results.

Suggested patch to fix this vulnerability as well as 
CVE-2014-5352, CVE-2014-9422 and CVE-2014-9423 is attached to https://bugzilla.redhat.com/show_bug.cgi?id=1179856

Comment 1 Vasyl Kaigorodov 2015-01-07 17:03:11 UTC
Acknowledgements:

Red Hat would like to thank the MIT Kerberos project for reporting this issue.

Comment 2 Vasyl Kaigorodov 2015-01-12 15:17:42 UTC
According to MIT, kadmind is vulnerable in all released versions of MIT krb5. Third-party server applications using libgssrpc are vulnerable if they enable the AUTH_GSSAPI authentication flavor and contain insufficiently defensive XDR functions

Comment 5 Vincent Danen 2015-02-03 21:18:29 UTC
External References:

http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2015-001.txt

Comment 6 Vincent Danen 2015-02-03 21:38:25 UTC
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 1188869]

Comment 8 Vasyl Kaigorodov 2015-03-02 09:17:24 UTC
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 9 errata-xmlrpc 2015-03-05 10:01:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0439 https://rhn.redhat.com/errata/RHSA-2015-0439.html

Comment 11 Fedora Update System 2015-03-09 08:18:20 UTC
krb5-1.11.5-18.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2015-03-12 16:33:42 UTC
krb5-1.12.2-14.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 errata-xmlrpc 2015-04-09 05:09:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:0794 https://rhn.redhat.com/errata/RHSA-2015-0794.html


Note You need to log in before you can comment on or make changes to this bug.