Bug 1116180 (CVE-2014-4341) - CVE-2014-4341 krb5: denial of service flaws when handling padding length longer than the plaintext
Summary: CVE-2014-4341 krb5: denial of service flaws when handling padding length long...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-4341
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1116181 1121509 1121510 1121511
Blocks: 1063682 1101912 1116197 1121513
TreeView+ depends on / blocked
 
Reported: 2014-07-04 01:54 UTC by Murray McAllister
Modified: 2021-02-17 06:25 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A buffer over-read flaw was found in the way MIT Kerberos handled certain requests. A remote, unauthenticated attacker who is able to inject packets into a client or server application's GSSAPI session could use this flaw to crash the application.
Clone Of:
Environment:
Last Closed: 2015-03-06 10:06:27 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1245 0 normal SHIPPED_LIVE Moderate: krb5 security and bug fix update 2014-09-16 09:28:35 UTC
Red Hat Product Errata RHSA-2014:1389 0 normal SHIPPED_LIVE Moderate: krb5 security and bug fix update 2014-10-14 01:27:10 UTC
Red Hat Product Errata RHSA-2015:0439 0 normal SHIPPED_LIVE Moderate: krb5 security, bug fix and enhancement update 2015-03-05 14:38:14 UTC

Description Murray McAllister 2014-07-04 01:54:50 UTC 
Flaws were found in the way MIT Kerberos handled RFC 1964 tokens. A man-in-the-middle attacker able to inject packets into an application's GSS-API session could use this flaw to crash the application.

References:

http://diswww.mit.edu:8008/menelaus.mit.edu/cvs-krb5/28388
https://github.com/krb5/krb5/commit/fb99962cbd063ac04c9a9d2cc7c75eab73f3533d
Comment 1 Murray McAllister 2014-07-04 01:57:00 UTC 
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 1116181]
Comment 6 Huzaifa S. Sidhpurwala 2014-07-17 08:28:32 UTC 
There are two distinct flaws in krb5:

CVE-2014-4341: Affects all shipped versions of krb5 package.
CVE-2014-4342: Affects only krb5-1.7 and later.

Hence it makes more sense to split this bug into two parts.

We will use this flaw for CVE-2014-4341.

In MIT krb5, an unauthenticated remote attacker with the ability to
inject packets into a legitimately established GSSAPI application
session can cause a program crash due to invalid memory references
when attempting to read beyond the end of a buffer.
Comment 7 Huzaifa S. Sidhpurwala 2014-07-17 08:36:07 UTC 
CVE-2014-4342 is now filed as https://bugzilla.redhat.com/show_bug.cgi?id=1120581
Comment 8 Siddharth Sharma 2014-07-17 09:40:28 UTC 
 A remote unauthenticated attacker is able to send a specially crafted packet to crash a Kerberos server. The kg_unseal_v1 and kg_unseal_v1_iov functions in GSSAPI are reachable externally and do not handle issues like checking for header length less than 22 bytes, shorter ciphertext than the confounder and declared padding length longer than the plaintext.
Comment 9 Siddharth Sharma 2014-07-17 10:20:48 UTC 
Statement:

(none)
Comment 11 Fedora Update System 2014-08-07 15:27:04 UTC 
krb5-1.11.3-24.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2014-08-07 15:32:43 UTC 
krb5-1.11.5-10.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Martin Prpič 2014-09-09 09:47:21 UTC 
IssueDescription:

A buffer over-read flaw was found in the way MIT Kerberos handled certain requests. A remote, unauthenticated attacker who is able to inject packets into a client or server application's GSSAPI session could use this flaw to crash the application.
Comment 14 errata-xmlrpc 2014-09-16 05:29:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1245 https://rhn.redhat.com/errata/RHSA-2014-1245.html
Comment 15 errata-xmlrpc 2014-10-14 08:10:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1389 https://rhn.redhat.com/errata/RHSA-2014-1389.html
Comment 19 errata-xmlrpc 2015-03-05 10:00:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0439 https://rhn.redhat.com/errata/RHSA-2015-0439.html
Note You need to log in before you can comment on or make changes to this bug.