Bug 838014 (CVE-2012-1014) - CVE-2012-1014 krb5: KDC daemon crash via de-reference of an uninitialized pointer
Summary: CVE-2012-1014 krb5: KDC daemon crash via de-reference of an uninitialized poi...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2012-1014
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 844779
Blocks: 838017
TreeView+ depends on / blocked
 
Reported: 2012-07-06 06:41 UTC by Huzaifa S. Sidhpurwala
Modified: 2023-05-11 19:14 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-05 16:59:26 UTC
Embargoed:


Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2012-07-06 06:41:46 UTC
The MIT krb5 KDC daemon can dereference an uninitialized pointer while processing a malformed AS-REQ, causing the daemon to abnormally terminate. This vulnerability could theoretically lead to the execution of malicious code, but that is believed to be very difficult.

The KDC in releases krb5-1.10 and later is vulnerable to this flaw.

Reference: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txt
Patch: http://web.mit.edu/kerberos/advisories/2012-001-patch.txt

Acknowledgements:
Red Hat would like to thank the MIT Kerberos project for reporting this issue. Upstream acknowledges Emmanuel Bouillon (NCI Agency) as the original reporter of the flaw.

Comment 3 Huzaifa S. Sidhpurwala 2012-07-06 08:28:48 UTC
Looking at the patch in the advisory, it seems that in function process_as_req(), the affected code segment does not exists before version 1.10.x

The vulnerable code segment is:

    state = malloc(sizeof(*state));
    ...
    state->session_key.contents = 0;
    state->enc_tkt_reply.authorization_data = NULL;
    ...

All members of struct pointed by state are set to 0, except state->inner_body, which is a pointer to a krb5_data object. An error condition in process_as_req(), results in the control being passed to the error handler, which de-references it, and hence causes a crash.

Comment 4 Huzaifa S. Sidhpurwala 2012-07-06 08:29:40 UTC
This issue does not affect the version of krb5 package as shipped with Fedora-16. 

This issue affects the version of krb5 package as shipped with Fedora-17.

Comment 5 Huzaifa S. Sidhpurwala 2012-07-06 08:30:46 UTC
Statement:

Not Vulnerable. This issue does not affect the version of krb5 package as shipped with Red Hat Enterprise Linux 5 and 6.

Comment 7 Vincent Danen 2012-07-31 18:24:57 UTC
External Reference:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txt

Comment 8 Vincent Danen 2012-07-31 18:28:59 UTC
Created krb5 tracking bugs for this issue

Affects: fedora-17 [bug 844779]


Note You need to log in before you can comment on or make changes to this bug.