Upstream reports that libgssrpc applications including kadmind output four or
eight bytes of uninitialized memory to the network as part of an
unused "handle" field in replies to clients.
An attacker could attempt to glean sensitive
information from the four or eight bytes of uninitialized data output
by kadmind or other libgssrpc server application. Because MIT krb5
generally sanitizes memory containing krb5 keys before freeing it, it
is unlikely that kadmind would leak Kerberos key information, but it
is not impossible.
RFC 2203 defines structures for the RPCSEC_GSS authentication flavor.
The rpc_gss_init_res structure which conveys responses to the client
contains an opaque "handle" field which is supposed to be used to
identify the GSS-API security context. The client mirrors this field
back to the server in the "handle" field of rpc_gss_cred_vers_1_t in
The MIT krb5 implementation of RPCSEC_GSS does not use the handle to
find the GSS-API context, but it still provides a handle value to the
client. To provide this value, it copies the first eight or sixteen
bytes out of the GSS-API security context handle. (The number of
bytes depends on the platform's pointer size; it is eight bytes on a
32-bit platform and sixteen bytes on a 64-bit platform.)
In release krb5-1.11, an unused "interposer" field was added to the
mechglue GSS security context structure as the second pointer field.
Because this field is unused, it remains uninitialized, so the second
half of the bytes copied from the GSS security context handle are
The contents of the uninitialized bytes could contain any heap data
previously freed by the application or any library it uses. The MIT
Kerberos libraries and kadmind are generally careful to zero out
sensitive data such as Kerberos key data before freeing it, but there
is nevertheless a risk of leakage of a small amount of sensitive data
to the network.
Suggested patch to fix this issue, as well as CVE-2014-5352, CVE-2014-9421
and CVE-2014-9422 is attached to https://bugzilla.redhat.com/show_bug.cgi?id=1179856
Red Hat would like to thank the MIT Kerberos project for reporting this issue.
According to MIT, server software (including third-party applications) using libgssrpc from release krb5-1.11 and later are vulnerable.
krb5 as shipped with Red Hat Enterprise Linux 5 and 6 are not affected by this as the flaw as noted in the upstream advisory was introduced in 1.11.
This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 5 and 6 as the flaw was introduced in a later version (1.11).
Created krb5 tracking bugs for this issue:
Affects: fedora-all [bug 1188869]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2015:0439 https://rhn.redhat.com/errata/RHSA-2015-0439.html
krb5-1.11.5-18.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
krb5-1.12.2-14.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.