Bug 711419 - (CVE-2011-1526) CVE-2011-1526 krb5, krb5-appl: ftpd incorrect group privilege dropping (MITKRB5-SA-2011-005)
CVE-2011-1526 krb5, krb5-appl: ftpd incorrect group privilege dropping (MITKR...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20110705,repo...
: Security
Depends On: 713341 713342 719095 719098
Blocks: 712346 742493
  Show dependency treegraph
 
Reported: 2011-06-07 09:06 EDT by Jan Lieskovsky
Modified: 2015-08-19 05:10 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that ftpd, a Kerberos-aware FTP server, did not properly drop privileges. On Red Hat Enterprise Linux 5, the ftpd daemon did not check for the potential failure of the krb5_setegid() function call. On systems where the set real, set effective, or set saved group ID system calls might fail, a remote FTP user could use this flaw to gain unauthorized read or write access to files that were owned by the root group.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-21 03:47:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2011-06-07 09:06:19 EDT
It was found that the kerberized FTP server did not properly check for the
failure to set its effective group identifier (GID). A remote, authenticated
FTP user could use this flaw to gain unauthorized read or write access to files
whose group owner was the initial effective GID of the FTP daemon process.

References:
[1] http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-005.txt
    (not public yet)
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1526

Upstream patch:
[3] http://web.mit.edu/kerberos/advisories/2011-005-patch.txt

Acknowledgements: 

Red Hat would like to thank the MIT Kerberos project for reporting this issue. Upstream acknowledges Tim Zingelman as the original reporter.
Comment 3 Jan Lieskovsky 2011-06-07 09:12:40 EDT
This issue affects the versions of the krb5 package, as shipped with
Red Hat Enterprise Linux 4 and 5.

This issue affects the version of the krb5-appl package, as shipped with
Red Hat Enterprise Linux 6.

--

This issue affects the versions of the krb5-appl package, as shipped with
Fedora release of 14 and 15.
Comment 23 Tomas Hoger 2011-06-24 07:53:51 EDT
As noted in the upstream advisory, there are 2 issues really:

First, there was problem introduced when splitting various kerberized applications out of krb5 sources to a separate krb5-appl packages.  A missing check in configure script caused krb5_setegid() to be incorrectly defined as always returning error without trying to change egid at all.

Second, the return value of krb5_setegid() was not checked, causing ftpd to not detect the problem and continue without changed effective group privileges.

Both problems combined resulted in users' ftpd sessions running with egid == 0, i.e. with root group privileges.  This problem affected Red Hat Enterprise Linux 6 and Fedora.

The krb5 versions in Red Hat Enterprise Linux 4 and 5 were only affected by the second problem.  This is still a potential problem, but without the first issue, there's no easy way to an attacker to trigger setegid failure.  We plan to address the return value checking problem in the future krb5 packages update in Red Hat Enterprise Linux 4 and 5.
Comment 28 Vincent Danen 2011-07-05 13:38:38 EDT
Statement:

This issue was addressed in krb5-appl packages in Red Hat Enterprise Linux 6 via RHSA-2011:0920 and krb5 packages in Red Hat Enterprise Linux 5 via RHSA-2012:0306.

This issue is not planned to be addressed in Red Hat Enterprise Linux 4, where this issue was rated as having low security impact.
Comment 29 errata-xmlrpc 2011-07-05 14:18:24 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0920 https://rhn.redhat.com/errata/RHSA-2011-0920.html
Comment 30 Vincent Danen 2011-07-05 14:34:55 EDT
Created krb5-appl tracking bugs for this issue

Affects: fedora-all [bug 719095]
Comment 32 Vincent Danen 2012-02-07 18:02:52 EST
IssueDescription:

It was found that ftpd, a Kerberos-aware FTP server, did not properly drop privileges. On Red Hat Enterprise Linux 5, the ftpd daemon did not check for the potential failure of the krb5_setegid() function call. On systems where the set real, set effective, or set saved group ID system calls might fail, a remote FTP user could use this flaw to gain unauthorized read or write access to files that were owned by the root group.
Comment 33 errata-xmlrpc 2012-02-20 22:19:26 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0306 https://rhn.redhat.com/errata/RHSA-2012-0306.html

Note You need to log in before you can comment on or make changes to this bug.