Bug 1275871 - (CVE-2015-2695) CVE-2015-2695 krb5: SPNEGO context aliasing bugs
CVE-2015-2695 krb5: SPNEGO context aliasing bugs
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150914,repor...
: Security
Depends On: 1275872
Blocks: 1275873
  Show dependency treegraph
 
Reported: 2015-10-27 21:32 EDT by Kurt Seifried
Modified: 2016-01-04 18:22 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A resource-access flaw was discovered in krb5; the SPNEGO mechanism operates under an incorrect assumption when dealing with its context handles. If an application calls gss_inquire_context() on a partially-established SPNEGO context, an unauthenticated, remote attacker could possibly exploit this flaw by sending a specially crafted SPNEGO packet and crashing the system.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-10 05:26:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2015-10-27 21:32:52 EDT
The kerberos project reports:

The SPNEGO mechanism currently replaces its context handle with the
mechanism context handle upon establishment, under the assumption that
most GSS functions are only called after context establishment.  This
assumption is incorrect, and can lead to aliasing violations for some
programs.  Maintain the SPNEGO context structure after context
establishment and refer to it in all GSS methods.  Add initiate and
opened flags to the SPNEGO context structure for use in
gss_inquire_context() prior to context establishment.

CVE-2015-2695:

In MIT krb5 1.5 and later, applications which call
gss_inquire_context() on a partially-established SPNEGO context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash.  This bug may go unnoticed, because
the most common SPNEGO authentication scenario establishes the context
after just one call to gss_accept_sec_context().  Java server
applications using the native JGSS provider are vulnerable to this
bug.  A carefully crafted SPNEGO packet might allow the
gss_inquire_context() call to succeed with attacker-determined
results, but applications should not make access control decisions
based on gss_inquire_context() results prior to context establishment.

External References:
https://github.com/krb5/krb5/commit/b51b33f2bc5d1497ddf5bd107f791c101695000d
Comment 1 Kurt Seifried 2015-10-27 21:36:56 EDT
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 1275872]

Note You need to log in before you can comment on or make changes to this bug.