Bug 1302642 (CVE-2015-8631) - CVE-2015-8631 krb5: Memory leak caused by supplying a null principal name in request
Summary: CVE-2015-8631 krb5: Memory leak caused by supplying a null principal name in ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-8631
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1302643 1306969 1306970 1306973 1306974
Blocks: 1302647
TreeView+ depends on / blocked
 
Reported: 2016-01-28 10:19 UTC by Adam Mariš
Modified: 2019-09-29 13:43 UTC (History)
20 users (show)

Fixed In Version: krb5 1.14.1, krb5 1.13.4
Doc Type: Bug Fix
Doc Text:
A memory leak flaw was found in the krb5_unparse_name() function of the MIT Kerberos kadmind service. An authenticated attacker could repeatedly send specially crafted requests to the server, which could cause the server to consume large amounts of memory resources, ultimately leading to a denial of service due to memory exhaustion.
Clone Of:
Environment:
Last Closed: 2016-04-01 07:07:52 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0493 normal SHIPPED_LIVE Moderate: krb5 security update 2016-03-23 01:01:50 UTC
Red Hat Product Errata RHSA-2016:0532 normal SHIPPED_LIVE Moderate: krb5 security update 2016-04-01 01:52:02 UTC

Description Adam Mariš 2016-01-28 10:19:03 UTC
It was reported that if krb5_unparse_name() fails, many of the stubs will leak the client and server name. In all versions of MIT krb5, an authenticated attacker can cause kadmind to leak memory by supplying a null principal name in a request which uses one. Repeating these requests will eventually cause kadmind to exhaust all available memory.

Upstream patch:

https://github.com/krb5/krb5/commit/83ed75feba32e46f736fcce0d96a0445f29b96c2

Comment 1 Adam Mariš 2016-01-28 10:19:31 UTC
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 1302643]

Comment 4 Cedric Buissart 🐶 2016-02-16 15:18:44 UTC
Acknowledgements:

This issue was discovered by Simo Sorce of Red Hat.

Comment 6 Tomas Hoger 2016-03-03 21:29:15 UTC
Upstream bug report:

http://krbdev.mit.edu/rt/Ticket/Display.html?id=8343

Fixed upstream in krb5 1.14.1:

http://web.mit.edu/kerberos/krb5-1.14/krb5-1.14.1.html

The upstream bug report also indicates the issue will be fixed in 1.13.4.

Comment 7 errata-xmlrpc 2016-03-22 21:02:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0493 https://rhn.redhat.com/errata/RHSA-2016-0493.html

Comment 8 errata-xmlrpc 2016-03-31 22:03:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0532 https://rhn.redhat.com/errata/RHSA-2016-0532.html


Note You need to log in before you can comment on or make changes to this bug.