It was found that the kerberized FTP server did not properly check for the failure to set its effective group identifier (GID). A remote, authenticated FTP user could use this flaw to gain unauthorized read or write access to files whose group owner was the initial effective GID of the FTP daemon process. References: [1] http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-005.txt (not public yet) [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1526 Upstream patch: [3] http://web.mit.edu/kerberos/advisories/2011-005-patch.txt Acknowledgements: Red Hat would like to thank the MIT Kerberos project for reporting this issue. Upstream acknowledges Tim Zingelman as the original reporter.
This issue affects the versions of the krb5 package, as shipped with Red Hat Enterprise Linux 4 and 5. This issue affects the version of the krb5-appl package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the versions of the krb5-appl package, as shipped with Fedora release of 14 and 15.
As noted in the upstream advisory, there are 2 issues really: First, there was problem introduced when splitting various kerberized applications out of krb5 sources to a separate krb5-appl packages. A missing check in configure script caused krb5_setegid() to be incorrectly defined as always returning error without trying to change egid at all. Second, the return value of krb5_setegid() was not checked, causing ftpd to not detect the problem and continue without changed effective group privileges. Both problems combined resulted in users' ftpd sessions running with egid == 0, i.e. with root group privileges. This problem affected Red Hat Enterprise Linux 6 and Fedora. The krb5 versions in Red Hat Enterprise Linux 4 and 5 were only affected by the second problem. This is still a potential problem, but without the first issue, there's no easy way to an attacker to trigger setegid failure. We plan to address the return value checking problem in the future krb5 packages update in Red Hat Enterprise Linux 4 and 5.
Statement: This issue was addressed in krb5-appl packages in Red Hat Enterprise Linux 6 via RHSA-2011:0920 and krb5 packages in Red Hat Enterprise Linux 5 via RHSA-2012:0306. This issue is not planned to be addressed in Red Hat Enterprise Linux 4, where this issue was rated as having low security impact.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0920 https://rhn.redhat.com/errata/RHSA-2011-0920.html
Created krb5-appl tracking bugs for this issue Affects: fedora-all [bug 719095]
IssueDescription: It was found that ftpd, a Kerberos-aware FTP server, did not properly drop privileges. On Red Hat Enterprise Linux 5, the ftpd daemon did not check for the potential failure of the krb5_setegid() function call. On systems where the set real, set effective, or set saved group ID system calls might fail, a remote FTP user could use this flaw to gain unauthorized read or write access to files that were owned by the root group.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0306 https://rhn.redhat.com/errata/RHSA-2012-0306.html