Bug 1275863 - (CVE-2015-2697) CVE-2015-2697 krb5: build_principal() memory flaw
CVE-2015-2697 krb5: build_principal() memory flaw
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150925,repor...
: Security
Depends On: 1275872
Blocks: 1275873
  Show dependency treegraph
 
Reported: 2015-10-27 20:53 EDT by Kurt Seifried
Modified: 2015-12-10 19:31 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An out-of-bounds flaw was discovered in MIT Kerberos; the build_principal_va() function did not properly duplicate the realm. An authenticated remote attacker could possibly exploit this flaw by sending a TGS request containing a specially crafted realm field and crashing the KDC (denial of service).
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-10 05:27:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2015-10-27 20:53:52 EDT
The kerberos project reports:

In build_principal_va(), use k5memdup0() instead of strdup() to make a
copy of the realm, to ensure that we allocate the correct number of
bytes and do not read past the end of the input string.  This bug
affects krb5_build_principal(), krb5_build_principal_va(), and
krb5_build_principal_alloc_va().  krb5_build_principal_ext() is not
affected.

CVE-2015-2697:

In MIT krb5 1.7 and later, an authenticated attacker may be able to
cause a KDC to crash using a TGS request with a large realm field
beginning with a null byte.  If the KDC attempts to find a referral to
answer the request, it constructs a principal name for lookup using
krb5_build_principal() with the requested realm.  Due to a bug in this
function, the null byte causes only one byte be allocated for the
realm field of the constructed principal, far less than its length.
Subsequent operations on the lookup principal may cause a read beyond
the end of the mapped memory region, causing the KDC process to crash.

External reference:
https://github.com/krb5/krb5/commit/f0c094a1b745d91ef2f9a4eae2149aac026a5789
Comment 1 Kurt Seifried 2015-10-27 21:36:46 EDT
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 1275872]

Note You need to log in before you can comment on or make changes to this bug.