Bug 984669 (CVE-2013-4122) - CVE-2013-4122 cyrus-sasl: NULL pointer dereference (DoS) when glibc v.2.17 or FIPS-140 enabled Linux system used
Summary: CVE-2013-4122 cyrus-sasl: NULL pointer dereference (DoS) when glibc v.2.17 or...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2013-4122
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 984694
TreeView+ depends on / blocked
 
Reported: 2013-07-15 16:25 UTC by Jan Lieskovsky
Modified: 2021-02-17 07:31 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-07-17 04:56:26 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Debian BTS 716835 0 None None None Never
Novell 829456 0 None None None Never

Description Jan Lieskovsky 2013-07-15 16:25:09 UTC 
Starting with glibc v2.17, the crypt() routine fails with EINVAL return code (returning NULL) if the salt violates specification. Additionally, on FIPS-140 enabled Linux systems, DES / MD5 algorithms encrypted passwords passed to crypt fail with EPERM return code (returning NULL).

Based on the above a denial of service flaw was found in the way Cyrus SASL, the Cyrus implementation of SASL, used to behave under aforementioned conditions / environments. A remote attacker could issue a specially-crafted authentication request to cause denial of the Cyrus SASL's daemon services.

References:
[1] http://www.openwall.com/lists/oss-security/2013/07/12/3

Upstream patch:
[2] http://git.cyrusimap.org/cyrus-sasl/commit/?id=dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d
[3] http://sourceforge.net/projects/miscellaneouspa/files/glibc217/cyrus-sasl-2.1.23-glibc217-crypt.diff
[4] http://sourceforge.net/projects/miscellaneouspa/files/glibc217/cyrus-sasl-2.1.26-glibc217-crypt.diff
Comment 1 Jan Lieskovsky 2013-07-15 17:00:57 UTC 
This issue affects the versions of the cyrus-sasl package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue did NOT affect the versions of the cyrus-sasl package, as shipped with Fedora release of 17, 18, and 19.
Comment 7 Huzaifa S. Sidhpurwala 2013-07-17 04:34:47 UTC 
This flaw in cyrus-sasl is triggered when crypt() returns NULL. Two changes in implementation of crypt() could result in NULL return value with errno being set.

1. Usage of invalid salt-values:

This change was introduced via the following commit:
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=4ba74a357376c8f8bf49487f96ae71cf2460c3f3

There is a basic check for a sane salt value and if found incorrect, crypt returns NULL. This change was not backported into the versions of glibc used in Red Hat Enterprise Linux 5 and 6.

2. Reject requests to encrypt password using the MD5/DES algorithm when FIPS-140 mode is enabled:

This change was introduced via the following commit:
http://sourceware.org/git/?p=glibc.git;a=commit;h=e745142509a427ccb9b14ee94ff24f7f36f7f4b6

The versions of glibc in Red Hat Enterprise Linux is built against NSS crypto, which is FIPS compliant. Users of crypt() are allowed to use MD5 in FIPS mode, i.e. it can be used for hashing. However the above upstream glibc commit took the conservative step of  disabling any crypto routine not specifically allowed by FIPS140-2. On the premise that FIPS140-2 annex forbids MD5 (and DES), and because the callers cant be controlled or audited, it was decided to block usage of MD5/DES in crypt() itself.

This change was also not backported to the version of glibc shipped with Red Hat Enterprise Linux 5 and 6.
Comment 10 Huzaifa S. Sidhpurwala 2013-07-17 04:56:26 UTC 
Statement:

Not Vulnerable. This issue does not affect the version of cyrus-sasl package as shipped with Red Hat Enterprise Linux 5 and 6.
Note You need to log in before you can comment on or make changes to this bug.