Bug 984669 - (CVE-2013-4122) CVE-2013-4122 cyrus-sasl: NULL pointer dereference (DoS) when glibc v.2.17 or FIPS-140 enabled Linux system used
CVE-2013-4122 cyrus-sasl: NULL pointer dereference (DoS) when glibc v.2.17 or...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130712,repor...
: Security
Depends On:
Blocks: 984694
  Show dependency treegraph
 
Reported: 2013-07-15 12:25 EDT by Jan Lieskovsky
Modified: 2016-03-04 07:30 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-17 00:56:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Novell 829456 None None None Never
Debian BTS 716835 None None None Never

  None (edit)
Description Jan Lieskovsky 2013-07-15 12:25:09 EDT
Starting with glibc v2.17, the crypt() routine fails with EINVAL return code (returning NULL) if the salt violates specification. Additionally, on FIPS-140 enabled Linux systems, DES / MD5 algorithms encrypted passwords passed to crypt fail with EPERM return code (returning NULL).

Based on the above a denial of service flaw was found in the way Cyrus SASL, the Cyrus implementation of SASL, used to behave under aforementioned conditions / environments. A remote attacker could issue a specially-crafted authentication request to cause denial of the Cyrus SASL's daemon services.

References:
[1] http://www.openwall.com/lists/oss-security/2013/07/12/3

Upstream patch:
[2] http://git.cyrusimap.org/cyrus-sasl/commit/?id=dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d
[3] http://sourceforge.net/projects/miscellaneouspa/files/glibc217/cyrus-sasl-2.1.23-glibc217-crypt.diff
[4] http://sourceforge.net/projects/miscellaneouspa/files/glibc217/cyrus-sasl-2.1.26-glibc217-crypt.diff
Comment 1 Jan Lieskovsky 2013-07-15 13:00:57 EDT
This issue affects the versions of the cyrus-sasl package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue did NOT affect the versions of the cyrus-sasl package, as shipped with Fedora release of 17, 18, and 19.
Comment 7 Huzaifa S. Sidhpurwala 2013-07-17 00:34:47 EDT
This flaw in cyrus-sasl is triggered when crypt() returns NULL. Two changes in implementation of crypt() could result in NULL return value with errno being set.

1. Usage of invalid salt-values:

This change was introduced via the following commit:
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=4ba74a357376c8f8bf49487f96ae71cf2460c3f3

There is a basic check for a sane salt value and if found incorrect, crypt returns NULL. This change was not backported into the versions of glibc used in Red Hat Enterprise Linux 5 and 6.

2. Reject requests to encrypt password using the MD5/DES algorithm when FIPS-140 mode is enabled:

This change was introduced via the following commit:
http://sourceware.org/git/?p=glibc.git;a=commit;h=e745142509a427ccb9b14ee94ff24f7f36f7f4b6

The versions of glibc in Red Hat Enterprise Linux is built against NSS crypto, which is FIPS compliant. Users of crypt() are allowed to use MD5 in FIPS mode, i.e. it can be used for hashing. However the above upstream glibc commit took the conservative step of  disabling any crypto routine not specifically allowed by FIPS140-2. On the premise that FIPS140-2 annex forbids MD5 (and DES), and because the callers cant be controlled or audited, it was decided to block usage of MD5/DES in crypt() itself.

This change was also not backported to the version of glibc shipped with Red Hat Enterprise Linux 5 and 6.
Comment 10 Huzaifa S. Sidhpurwala 2013-07-17 00:56:26 EDT
Statement:

Not Vulnerable. This issue does not affect the version of cyrus-sasl package as shipped with Red Hat Enterprise Linux 5 and 6.

Note You need to log in before you can comment on or make changes to this bug.