Bug 838014 - (CVE-2012-1014) CVE-2012-1014 krb5: KDC daemon crash via de-reference of an uninitialized pointer
CVE-2012-1014 krb5: KDC daemon crash via de-reference of an uninitialized poi...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120731,repor...
: Security
Depends On: 844779
Blocks: 838017
  Show dependency treegraph
 
Reported: 2012-07-06 02:41 EDT by Huzaifa S. Sidhpurwala
Modified: 2015-07-31 05:07 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-05 11:59:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Huzaifa S. Sidhpurwala 2012-07-06 02:41:46 EDT
The MIT krb5 KDC daemon can dereference an uninitialized pointer while processing a malformed AS-REQ, causing the daemon to abnormally terminate. This vulnerability could theoretically lead to the execution of malicious code, but that is believed to be very difficult.

The KDC in releases krb5-1.10 and later is vulnerable to this flaw.

Reference: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txt
Patch: http://web.mit.edu/kerberos/advisories/2012-001-patch.txt

Acknowledgements:
Red Hat would like to thank the MIT Kerberos project for reporting this issue. Upstream acknowledges Emmanuel Bouillon (NCI Agency) as the original reporter of the flaw.
Comment 3 Huzaifa S. Sidhpurwala 2012-07-06 04:28:48 EDT
Looking at the patch in the advisory, it seems that in function process_as_req(), the affected code segment does not exists before version 1.10.x

The vulnerable code segment is:

    state = malloc(sizeof(*state));
    ...
    state->session_key.contents = 0;
    state->enc_tkt_reply.authorization_data = NULL;
    ...

All members of struct pointed by state are set to 0, except state->inner_body, which is a pointer to a krb5_data object. An error condition in process_as_req(), results in the control being passed to the error handler, which de-references it, and hence causes a crash.
Comment 4 Huzaifa S. Sidhpurwala 2012-07-06 04:29:40 EDT
This issue does not affect the version of krb5 package as shipped with Fedora-16. 

This issue affects the version of krb5 package as shipped with Fedora-17.
Comment 5 Huzaifa S. Sidhpurwala 2012-07-06 04:30:46 EDT
Statement:

Not Vulnerable. This issue does not affect the version of krb5 package as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 7 Vincent Danen 2012-07-31 14:24:57 EDT
External Reference:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txt
Comment 8 Vincent Danen 2012-07-31 14:28:59 EDT
Created krb5 tracking bugs for this issue

Affects: fedora-17 [bug 844779]

Note You need to log in before you can comment on or make changes to this bug.