Bug 1504045 - (CVE-2017-15088) CVE-2017-15088 krb5: Buffer overflow in get_matching_data()
CVE-2017-15088 krb5: Buffer overflow in get_matching_data()
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1506622
Blocks: 1504046
  Show dependency treegraph
Reported: 2017-10-19 07:44 EDT by Adam Mariš
Modified: 2018-05-03 00:25 EDT (History)
44 users (show)

See Also:
Fixed In Version: krb5 1.16
Doc Type: If docs needed, set a value
Doc Text:
A stack based buffer overflow was found in the get_matching_data() function, when reading the principal's certificate during pkinit preauthentication. If the Certifcate Authority's subject line is sufficiently long, an attacker able to have a specially crafted certificate signed could crash the authentication process, such as kinit, or, possibly, run arbitrary code.
Story Points: ---
Clone Of:
Last Closed: 2018-01-10 06:15:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2017-10-19 07:44:38 EDT
A buffer overflow vulnerability was found in get_matching_data() function when both the CA cert and the user cert have a long subject affecting krb5 that includes certauth plugin. Attack requires a validated certificate with a long subject and issuer, and a "pkinit_cert_match" string attribute on some principal in the database. A remote code execution exploit might also require that the attacker gets to choose the contents of the issuer in the validated cert.

Bug report:

Comment 5 Cedric Buissart 2017-10-26 09:07:57 EDT
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 1506622]
Comment 9 Cedric Buissart 2018-01-10 06:14:16 EST

This issue affects the versions of krb5 as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.