Red Hat Bugzilla – Bug 1179857
CVE-2014-9421 krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)
Last modified: 2015-11-04 03:59:24 EST
Upstream reports that if the MIT krb5 kadmind daemon receives invalid XDR data from an authenticated user, it may perform use-after-free and double-free memory access violations while cleaning up the partial deserialization results. Other libgssrpc server applications may also be vulnerable if they contain insufficiently defensive XDR functions. An authenticated attacker could cause kadmind or other vulnerable server application to crash or to execute arbitrary code. Exploiting a double-free event to execute arbitrary code is believed to be difficult. libgssrpc applications use the XDR serialization format. XDR data is serialized, deserialized, and freed using an application function, often generated by the rpcgen command. If an application receives incorrectly serialized data from the client, the XDR function will return false to report a deserialization failure, perhaps leaving behind partial deserialization results. To avoid a memory leak, these partial results must be freed with another invocation of the XDR function. In a server application, this cleanup is performed automatically by svc_getargs(). If the AUTH_GSSAPI authentication flavor is used, the cleanup is also erroneously performed by the internal unwrap function, so the XDR function is invoked twice to clean up the partial results. XDR functions can be defensive about being invoked twice for cleanup by assigning pointer values to NULL after freeing them. Most XDR functions do this, but the XDR functions within libkadm5 for principal names and tag-length data do not. When these functions are invoked twice by libgssrpc to clean up a value, the second invocations perform use-after-free and double-free memory access violations. These XDR functions are only exposed to an authenticated attacker. This vulnerability could theoretically lead to the execution of malicious code, but that is believed to be difficult. Client applications are not believed to be vulnerable because clnt_call() and client stub functions do not free partial deserialization results. Suggested patch to fix this vulnerability as well as CVE-2014-5352, CVE-2014-9422 and CVE-2014-9423 is attached to https://bugzilla.redhat.com/show_bug.cgi?id=1179856
Acknowledgements: Red Hat would like to thank the MIT Kerberos project for reporting this issue.
According to MIT, kadmind is vulnerable in all released versions of MIT krb5. Third-party server applications using libgssrpc are vulnerable if they enable the AUTH_GSSAPI authentication flavor and contain insufficiently defensive XDR functions
External References: http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2015-001.txt
Created krb5 tracking bugs for this issue: Affects: fedora-all [bug 1188869]
Upstream commit: https://github.com/krb5/krb5/commit/a197e92349a4aa2141b5dff12e9dd44c2a2166e3
Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:0439 https://rhn.redhat.com/errata/RHSA-2015-0439.html
krb5-1.11.5-18.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
krb5-1.12.2-14.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:0794 https://rhn.redhat.com/errata/RHSA-2015-0794.html