Bug 1302632 (CVE-2015-8630) - CVE-2015-8630 krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask
Summary: CVE-2015-8630 krb5: krb5 doesn't check for null policy when KADM5_POLICY is s...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-8630
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1302633 1306969 1306970
Blocks: 1302647
TreeView+ depends on / blocked
 
Reported: 2016-01-28 10:12 UTC by Adam Mariš
Modified: 2019-09-29 13:43 UTC (History)
19 users (show)

Fixed In Version: krb5 1.14.1, krb5 1.13.4
Doc Type: Bug Fix
Doc Text:
A NULL pointer dereference flaw was found in the procedure used by the MIT Kerberos kadmind service to store policies: the kadm5_create_principal_3() and kadm5_modify_principal() function did not ensure that a policy was given when KADM5_POLICY was set. An authenticated attacker with permissions to modify the database could use this flaw to add or modify a principal with a policy set to NULL, causing the kadmind service to crash.
Clone Of:
Environment:
Last Closed: 2016-04-01 07:07:42 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0532 normal SHIPPED_LIVE Moderate: krb5 security update 2016-04-01 01:52:02 UTC

Description Adam Mariš 2016-01-28 10:12:51 UTC
It was reported that in MIT krb5 1.12 and later, an authenticated attacker with permission to modify a principal entry can cause kadmind to dereference a null pointer by supplying a null policy value but including KADM5_POLICY in the mask.

Upstream patch:

https://github.com/krb5/krb5/commit/b863de7fbf080b15e347a736fdda0a82d42f4f6b

Comment 1 Adam Mariš 2016-01-28 10:13:22 UTC
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 1302633]

Comment 6 Tomas Hoger 2016-03-03 21:29:12 UTC
Upstream bug report:

http://krbdev.mit.edu/rt/Ticket/Display.html?id=8342

Fixed upstream in krb5 1.14.1:

http://web.mit.edu/kerberos/krb5-1.14/krb5-1.14.1.html

The upstream bug report also indicates the issue will be fixed in 1.13.4.

Comment 7 errata-xmlrpc 2016-03-31 22:03:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0532 https://rhn.redhat.com/errata/RHSA-2016-0532.html


Note You need to log in before you can comment on or make changes to this bug.