Bug 487685 (CVE-2009-0582) - CVE-2009-0582 evolution-data-server: insufficient checking of NTLM authentication challenge packets
Summary: CVE-2009-0582 evolution-data-server: insufficient checking of NTLM authentica...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-0582
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 488280 488281 488293 488439 488440 488441 488442
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-02-27 13:59 UTC by Tomas Hoger
Modified: 2019-09-29 12:28 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-03-20 07:50:54 UTC
Embargoed:


Attachments (Terms of Use)
Proposed patch from Matthew Barnes (4.54 KB, patch)
2009-02-27 14:00 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0354 0 normal SHIPPED_LIVE Moderate: evolution-data-server security update 2009-03-16 14:36:55 UTC
Red Hat Product Errata RHSA-2009:0355 0 normal SHIPPED_LIVE Moderate: evolution and evolution-data-server security update 2009-03-16 14:47:33 UTC
Red Hat Product Errata RHSA-2009:0358 0 normal SHIPPED_LIVE Moderate: evolution security update 2009-03-16 14:54:05 UTC

Description Tomas Hoger 2009-02-27 13:59:18 UTC
It was discovered that camel's NTLM SASL authentication mechanism did not properly validate server's challenge packets (NTLM authentication type 2 packets, [1]).  In the ntlm_challenge() in camel/camel-sasl-ntlm.c, length of the domain string that was copied from type 2 to type 3 packet (client's reply to server's challenge) was not properly validated against the rest of the data received from the server.

127     ntlm_set_string (ret, NTLM_RESPONSE_DOMAIN_OFFSET,
128              token->data + NTLM_CHALLENGE_DOMAIN_OFFSET,
129              atoi (token->data + NTLM_CHALLENGE_DOMAIN_LEN_OFFSET));

Server could specify larger length than the actual data sent in the packet, causing the client to disclose portion of its memory, or crash.

Note: length value was not properly extracted from the packet too, as it is not passed as string, rather as 16-bit LE value.

[1] http://curl.haxx.se/rfc/ntlm.html#theType2Message

Comment 1 Tomas Hoger 2009-02-27 14:00:18 UTC
Created attachment 333473 [details]
Proposed patch from Matthew Barnes

Comment 21 Tomas Hoger 2009-03-12 14:56:46 UTC
Public now via:
  http://mail.gnome.org/archives/release-team/2009-March/msg00096.html

Comment 22 errata-xmlrpc 2009-03-16 14:37:03 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:0354 https://rhn.redhat.com/errata/RHSA-2009-0354.html

Comment 23 errata-xmlrpc 2009-03-16 14:47:39 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009-0355 https://rhn.redhat.com/errata/RHSA-2009-0355.html

Comment 24 errata-xmlrpc 2009-03-16 14:54:08 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:0358 https://rhn.redhat.com/errata/RHSA-2009-0358.html

Comment 25 Fedora Update System 2009-03-18 18:58:19 UTC
evolution-data-server-2.24.5-4.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2009-03-18 18:59:57 UTC
evolution-data-server-2.22.3-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 28 Milan Crha 2009-05-19 11:22:18 UTC
See bug #501222, the NTLM authentication in IMAP seems to be broken. I'm checking with a reporter there, but want to let you know soon enough.

Comment 29 Sergey Panov 2009-06-13 06:02:02 UTC
I am using 4 different Fedora 10 machines. When this bug fix was pushed through Fedora 10 update (evolution-data-server-2.24.5-4.fc10) it killed (one-by-one) password authentication with the SMTP server. The SMTP server is a Windows 2003 server running Exchange. Password type is set to  NTLM/SPA .

All machines are have evolution-data-server-2.24.5-5.fc10 installed. SMTP problem is still there. At least one of the systems developed problem similar to one described in Comment #29 -- it fails to authenticate with the real(evolution exchange module) exchange server.


Note You need to log in before you can comment on or make changes to this bug.