Bug 1302632 - (CVE-2015-8630) CVE-2015-8630 krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask
CVE-2015-8630 krb5: krb5 doesn't check for null policy when KADM5_POLICY is s...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20160108,reported=2...
: Security
Depends On: 1302633 1306969 1306970
Blocks: 1302647
  Show dependency treegraph
 
Reported: 2016-01-28 05:12 EST by Adam Mariš
Modified: 2016-04-03 19:18 EDT (History)
19 users (show)

See Also:
Fixed In Version: krb5 1.14.1, krb5 1.13.4
Doc Type: Bug Fix
Doc Text:
A NULL pointer dereference flaw was found in the procedure used by the MIT Kerberos kadmind service to store policies: the kadm5_create_principal_3() and kadm5_modify_principal() function did not ensure that a policy was given when KADM5_POLICY was set. An authenticated attacker with permissions to modify the database could use this flaw to add or modify a principal with a policy set to NULL, causing the kadmind service to crash.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-01 03:07:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-01-28 05:12:51 EST
It was reported that in MIT krb5 1.12 and later, an authenticated attacker with permission to modify a principal entry can cause kadmind to dereference a null pointer by supplying a null policy value but including KADM5_POLICY in the mask.

Upstream patch:

https://github.com/krb5/krb5/commit/b863de7fbf080b15e347a736fdda0a82d42f4f6b
Comment 1 Adam Mariš 2016-01-28 05:13:22 EST
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 1302633]
Comment 6 Tomas Hoger 2016-03-03 16:29:12 EST
Upstream bug report:

http://krbdev.mit.edu/rt/Ticket/Display.html?id=8342

Fixed upstream in krb5 1.14.1:

http://web.mit.edu/kerberos/krb5-1.14/krb5-1.14.1.html

The upstream bug report also indicates the issue will be fixed in 1.13.4.
Comment 7 errata-xmlrpc 2016-03-31 18:03:34 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0532 https://rhn.redhat.com/errata/RHSA-2016-0532.html

Note You need to log in before you can comment on or make changes to this bug.