1030743 – (CVE-2013-1417) CVE-2013-1417 krb5: KDC null deref due to referrals

Bug 1030743 (CVE-2013-1417) - CVE-2013-1417 krb5: KDC null deref due to referrals

Summary: CVE-2013-1417 krb5: KDC null deref due to referrals

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2013-1417
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1030744 1030745
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-15 04:03 UTC by Vincent Danen
Modified:	2021-02-17 07:11 UTC (History)
CC List:	8 users (show)
Fixed In Version:	krb5 1.11.4
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-07-29 13:45:31 UTC
Embargoed:

Attachments	(Terms of Use)

Description Vincent Danen 2013-11-15 04:03:44 UTC

From the upstream commit [1]:

An authenticated remote client can cause a KDC to crash by making a
valid TGS-REQ to a KDC serving a realm with a single-component name.
The process_tgs_req() function dereferences a null pointer because an
unusual failure condition causes a helper function to return success.

While attempting to provide cross-realm referrals for host-based
service principals, the find_referral_tgs() function could return a
TGS principal for a zero-length realm name (indicating that the
hostname in the service principal has no known realm associated with
it).

Subsequently, the find_alternate_tgs() function would attempt to
construct a path to this empty-string realm, and return success along
with a null pointer in its output parameter.  This happens because
krb5_walk_realm_tree() returns a list of length one when it attempts
to construct a transit path between a single-component realm and the
empty-string realm.  This list causes a loop in find_alternate_tgs()
to iterate over zero elements, resulting in the unexpected output of a
null pointer, which process_tgs_req() proceeds to dereference because
there is no error condition.

Add an error condition to find_referral_tgs() when
krb5_get_host_realm() returns an empty realm name.  Also add an error
condition to find_alternate_tgs() to handle the length-one output from
krb5_walk_realm_tree().

The vulnerable configuration is not likely to arise in practice.
(Realm names that have a single component are likely to be test
realms.)  Releases prior to krb5-1.11 are not vulnerable.

[1] https://github.com/krb5/krb5/commit/4c023ba43c16396f0d199e2df1cfa59b88b62acc

Comment 1 Vincent Danen 2013-11-15 04:05:42 UTC

This only affects Fedora 19 as Fedora 18 ships with an older version (pre 1.11.x).


Statement:

Not vulnerable. This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 5 and 6.

Comment 3 Vincent Danen 2013-11-15 04:06:47 UTC

Created krb5 tracking bugs for this issue:

Affects: fedora-19 [bug 1030744]

Comment 4 Fedora Update System 2013-11-18 21:07:46 UTC

krb5-1.11.3-32.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2013-12-03 10:37:29 UTC

krb5-1.11.3-13.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.