A flaw was found in the way the internal function ber_scanf() was used in some components of the IPA server which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key, could cause the IPA server to crash or in some conditions cause arbitrary code to be executed on the server hosting the IPA server.
Technical details and analysis: in ber_decode_krb5_key_data(), there is a call to ber_scanf to skip over unsupported sk2params: if (retag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 2)) { /* not supported yet, skip */ retag = ber_scanf(be, "t[x]}"); } else { This 'ber_scanf' call is missing a '&tag' argument, meaning that it ends up overwriting memory at whatever address happens to be on the stack. This might be a security issue since the tag that gets stored is user-controlled data, though the pointer getting stored to probably is not easy to control. Looking at the way pointers are arranged on the stack for this function, it may be difficult to overwrite a pointer and achieve code execution. Also the function is protected by SSP therefore RCE may be difficult to achieve.
Statement: This flaw can be exploited by an unauthenticated attacker (PR:N) who could create a specially crafted "krbPrincipalKey" and send it to the IPA server (AV:N). The attack is relatively easy to conduct (AC:L), since all the attacker requires is a string which is long enough to write beyond the limits of the buffer on the stack. User interaction is required for the attack (UI:N). End result in a crash in the IPA server causing denial of service or in some conditions may also result in remote code execution with the permissions of the user running the IPA server (CIA:H).
*** Bug 1752973 has been marked as a duplicate of this bug. ***
Releases 4.6.7, 4.7.4, and 4.8.3 are done for FreeIPA. The release tarballs are available in https://releases.pagure.org/freeipa.
Upstream commit: https://pagure.io/freeipa/c/e11e73abc101361c0b66b3b958a64c9c8f6c608b.patch
Acknowledgments: Name: Todd Lipcon (Cloudera)
Created freeipa tracking bugs for this issue: Affects: fedora-all [bug 1777200]
External References: https://www.freeipa.org/page/Releases/4.6.7 https://www.freeipa.org/page/Releases/4.7.4 https://www.freeipa.org/page/Releases/4.8.3
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0378 https://access.redhat.com/errata/RHSA-2020:0378
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14867
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:1269 https://access.redhat.com/errata/RHSA-2020:1269