Bug 1179863 (CVE-2014-9423) - CVE-2014-9423 krb5: libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)
Summary: CVE-2014-9423 krb5: libgssrpc server applications leak uninitialized bytes (M...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-9423
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1181208 1188869
Blocks: 1179866
TreeView+ depends on / blocked
 
Reported: 2015-01-07 16:51 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:51 UTC (History)
30 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An information disclosure flaw was found in the way MIT Kerberos RPCSEC_GSS implementation (libgssrpc) handled certain requests. An attacker could send a specially crafted request to an application using libgssrpc to disclose a limited portion of uninitialized memory used by that application.
Clone Of:
Environment:
Last Closed: 2015-03-06 10:23:47 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0439 0 normal SHIPPED_LIVE Moderate: krb5 security, bug fix and enhancement update 2015-03-05 14:38:14 UTC

Description Vasyl Kaigorodov 2015-01-07 16:51:24 UTC
Upstream reports that libgssrpc applications including kadmind output four or
eight bytes of uninitialized memory to the network as part of an
unused "handle" field in replies to clients.

An attacker could attempt to glean sensitive
information from the four or eight bytes of uninitialized data output
by kadmind or other libgssrpc server application.  Because MIT krb5
generally sanitizes memory containing krb5 keys before freeing it, it
is unlikely that kadmind would leak Kerberos key information, but it
is not impossible.

RFC 2203 defines structures for the RPCSEC_GSS authentication flavor.
The rpc_gss_init_res structure which conveys responses to the client
contains an opaque "handle" field which is supposed to be used to
identify the GSS-API security context.  The client mirrors this field
back to the server in the "handle" field of rpc_gss_cred_vers_1_t in
subsequent requests.

The MIT krb5 implementation of RPCSEC_GSS does not use the handle to
find the GSS-API context, but it still provides a handle value to the
client.  To provide this value, it copies the first eight or sixteen
bytes out of the GSS-API security context handle.  (The number of
bytes depends on the platform's pointer size; it is eight bytes on a
32-bit platform and sixteen bytes on a 64-bit platform.)

In release krb5-1.11, an unused "interposer" field was added to the
mechglue GSS security context structure as the second pointer field.
Because this field is unused, it remains uninitialized, so the second
half of the bytes copied from the GSS security context handle are
uninitialized.

The contents of the uninitialized bytes could contain any heap data
previously freed by the application or any library it uses.  The MIT
Kerberos libraries and kadmind are generally careful to zero out
sensitive data such as Kerberos key data before freeing it, but there
is nevertheless a risk of leakage of a small amount of sensitive data
to the network.

Suggested patch to fix this issue, as well as CVE-2014-5352, CVE-2014-9421
and CVE-2014-9422 is attached to https://bugzilla.redhat.com/show_bug.cgi?id=1179856

Comment 1 Vasyl Kaigorodov 2015-01-07 17:02:58 UTC
Acknowledgements:

Red Hat would like to thank the MIT Kerberos project for reporting this issue.

Comment 2 Vasyl Kaigorodov 2015-01-12 15:19:29 UTC
According to MIT, server software (including third-party applications) using libgssrpc from release krb5-1.11 and later are vulnerable.

Comment 4 Vincent Danen 2015-01-12 16:30:25 UTC
krb5 as shipped with Red Hat Enterprise Linux 5 and 6 are not affected by this as the flaw as noted in the upstream advisory was introduced in 1.11.

Comment 5 Vincent Danen 2015-02-03 21:20:36 UTC
External References:

http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2015-001.txt

Comment 6 Vincent Danen 2015-02-03 21:22:17 UTC
Statement:

This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 5 and 6 as the flaw was introduced in a later version (1.11).

Comment 7 Vincent Danen 2015-02-03 21:38:47 UTC
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 1188869]

Comment 9 errata-xmlrpc 2015-03-05 10:01:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0439 https://rhn.redhat.com/errata/RHSA-2015-0439.html

Comment 10 Fedora Update System 2015-03-09 08:18:27 UTC
krb5-1.11.5-18.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-03-12 16:33:47 UTC
krb5-1.12.2-14.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.