Bug 1275869 - (CVE-2015-2696) CVE-2015-2696 krb5: IAKERB context aliasing flaw
CVE-2015-2696 krb5: IAKERB context aliasing flaw
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150914,repor...
: Security
Depends On: 1275872
Blocks: 1275873
  Show dependency treegraph
 
Reported: 2015-10-27 21:23 EDT by Kurt Seifried
Modified: 2015-12-10 19:43 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A type-confusion flaw was discovered in MIT Kerberos, where it incorrectly deals with IAKERB context handles. If an application calls gss_inquire_context() on a partially-established IAKERB context, an unauthenticated remote attacker could possibly exploit the flaw to crash the application (denial of service) by sending it a specially crafted IAKERB packet.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-10 05:27:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2015-10-27 21:23:59 EDT
The kerberos project reports:

The IAKERB mechanism currently replaces its context handle with the
krb5 mechanism handle upon establishment, under the assumption that
most GSS functions are only called after context establishment.  This
assumption is incorrect, and can lead to aliasing violations for some
programs.  Maintain the IAKERB context structure after context
establishment and add new IAKERB entry points to refer to it with that
type.  Add initiate and established flags to the IAKERB context
structure for use in gss_inquire_context() prior to context
establishment.

CVE-2015-2696:

In MIT krb5 1.9 and later, applications which call
gss_inquire_context() on a partially-established IAKERB context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash.  Java server applications using the
native JGSS provider are vulnerable to this bug.  A carefully crafted
IAKERB packet might allow the gss_inquire_context() call to succeed
with attacker-determined results, but applications should not make
access control decisions based on gss_inquire_context() results prior
to context establishment.

External references:
https://github.com/krb5/krb5/commit/e04f0283516e80d2f93366e0d479d13c9b5c8c2a
Comment 1 Kurt Seifried 2015-10-27 21:36:51 EDT
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 1275872]
Comment 3 Kurt Seifried 2015-11-06 15:30:26 EST
The patches for CVE-2015-2696 contained a regression in the newly
added IAKERB iakerb_gss_export_sec_context() function, which could
cause it to corrupt memory.  Fix the regression by properly
dereferencing the context_handle pointer before casting it.

Please see BZ#1278951 for information on CVE-2015-2698 which addresses this regression.

Note You need to log in before you can comment on or make changes to this bug.