Bug 711419 (CVE-2011-1526) - CVE-2011-1526 krb5, krb5-appl: ftpd incorrect group privilege dropping (MITKRB5-SA-2011-005)
Summary: CVE-2011-1526 krb5, krb5-appl: ftpd incorrect group privilege dropping (MITKR...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-1526
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 713341 713342 719095 719098
Blocks: 712346 742493
TreeView+ depends on / blocked
 
Reported: 2011-06-07 13:06 UTC by Jan Lieskovsky
Modified: 2023-05-11 17:42 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that ftpd, a Kerberos-aware FTP server, did not properly drop privileges. On Red Hat Enterprise Linux 5, the ftpd daemon did not check for the potential failure of the krb5_setegid() function call. On systems where the set real, set effective, or set saved group ID system calls might fail, a remote FTP user could use this flaw to gain unauthorized read or write access to files that were owned by the root group.
Clone Of:
Environment:
Last Closed: 2012-02-21 08:47:59 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0920 0 normal SHIPPED_LIVE Important: krb5-appl security update 2011-07-05 18:18:19 UTC
Red Hat Product Errata RHSA-2012:0306 0 normal SHIPPED_LIVE Low: krb5 security and bug fix update 2012-02-21 07:24:53 UTC

Description Jan Lieskovsky 2011-06-07 13:06:19 UTC
It was found that the kerberized FTP server did not properly check for the
failure to set its effective group identifier (GID). A remote, authenticated
FTP user could use this flaw to gain unauthorized read or write access to files
whose group owner was the initial effective GID of the FTP daemon process.

References:
[1] http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-005.txt
    (not public yet)
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1526

Upstream patch:
[3] http://web.mit.edu/kerberos/advisories/2011-005-patch.txt

Acknowledgements: 

Red Hat would like to thank the MIT Kerberos project for reporting this issue. Upstream acknowledges Tim Zingelman as the original reporter.

Comment 3 Jan Lieskovsky 2011-06-07 13:12:40 UTC
This issue affects the versions of the krb5 package, as shipped with
Red Hat Enterprise Linux 4 and 5.

This issue affects the version of the krb5-appl package, as shipped with
Red Hat Enterprise Linux 6.

--

This issue affects the versions of the krb5-appl package, as shipped with
Fedora release of 14 and 15.

Comment 23 Tomas Hoger 2011-06-24 11:53:51 UTC
As noted in the upstream advisory, there are 2 issues really:

First, there was problem introduced when splitting various kerberized applications out of krb5 sources to a separate krb5-appl packages.  A missing check in configure script caused krb5_setegid() to be incorrectly defined as always returning error without trying to change egid at all.

Second, the return value of krb5_setegid() was not checked, causing ftpd to not detect the problem and continue without changed effective group privileges.

Both problems combined resulted in users' ftpd sessions running with egid == 0, i.e. with root group privileges.  This problem affected Red Hat Enterprise Linux 6 and Fedora.

The krb5 versions in Red Hat Enterprise Linux 4 and 5 were only affected by the second problem.  This is still a potential problem, but without the first issue, there's no easy way to an attacker to trigger setegid failure.  We plan to address the return value checking problem in the future krb5 packages update in Red Hat Enterprise Linux 4 and 5.

Comment 28 Vincent Danen 2011-07-05 17:38:38 UTC
Statement:

This issue was addressed in krb5-appl packages in Red Hat Enterprise Linux 6 via RHSA-2011:0920 and krb5 packages in Red Hat Enterprise Linux 5 via RHSA-2012:0306.

This issue is not planned to be addressed in Red Hat Enterprise Linux 4, where this issue was rated as having low security impact.

Comment 29 errata-xmlrpc 2011-07-05 18:18:24 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0920 https://rhn.redhat.com/errata/RHSA-2011-0920.html

Comment 30 Vincent Danen 2011-07-05 18:34:55 UTC
Created krb5-appl tracking bugs for this issue

Affects: fedora-all [bug 719095]

Comment 32 Vincent Danen 2012-02-07 23:02:52 UTC
IssueDescription:

It was found that ftpd, a Kerberos-aware FTP server, did not properly drop privileges. On Red Hat Enterprise Linux 5, the ftpd daemon did not check for the potential failure of the krb5_setegid() function call. On systems where the set real, set effective, or set saved group ID system calls might fail, a remote FTP user could use this flaw to gain unauthorized read or write access to files that were owned by the root group.

Comment 33 errata-xmlrpc 2012-02-21 03:19:26 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0306 https://rhn.redhat.com/errata/RHSA-2012-0306.html


Note You need to log in before you can comment on or make changes to this bug.