Bug 1488873 (CVE-2017-11462) - CVE-2017-11462 krb5: Automatic sec context deletion could lead to double-free
Summary: CVE-2017-11462 krb5: Automatic sec context deletion could lead to double-free
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-11462
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1488874
Blocks: 1667159
TreeView+ depends on / blocked
 
Reported: 2017-09-06 11:38 UTC by Andrej Nemec
Modified: 2019-09-29 14:20 UTC (History)
38 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-03 03:18:09 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2017-09-06 11:38:03 UTC
RFC 2744 permits a GSS-API implementation to delete an existing security context on a second or subsequent call to gss_init_sec_context() or gss_accept_sec_context() if the call results in an error.  This API behavior has been found to be dangerous, leading to the possibility of memory errors in some callers.  For safety, GSS-API implementations should instead preserve existing security contexts on error until the caller deletes them.

References:

http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598

Upstream patch:

https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf

Comment 1 Andrej Nemec 2017-09-06 11:40:01 UTC
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 1488874]

Comment 2 Huzaifa S. Sidhpurwala 2019-02-01 07:54:11 UTC
Analysis:

The problem exists in gss_init_sec_context() and gss_accept_sec_context(). These functions delete an existing security context structure, when internal union_ctx_id->internal_ctx_id is set to GSS_C_NO_CONTEXT. This security context structure is a part of a bigger union context, which is later freed. So essentially this results in a double-free. This should not be really exploitable apart from crash. The crash should only occur in rare circumstances when the affected code is hit.


Note You need to log in before you can comment on or make changes to this bug.