Bug 1766920 (CVE-2019-14867) - CVE-2019-14867 ipa: Denial of service in IPA server due to wrong use of ber_scanf()
Summary: CVE-2019-14867 ipa: Denial of service in IPA server due to wrong use of ber_s...
Keywords:
Status: NEW
Alias: CVE-2019-14867
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1752973 (view as bug list)
Depends On: 1767300 1767302 1767303 1767304 1777200
Blocks: 1766921
TreeView+ depends on / blocked
 
Reported: 2019-10-30 09:50 UTC by Dhananjay Arunesh
Modified: 2019-12-09 02:01 UTC (History)
21 users (show)

Fixed In Version: FreeIPA 4.6.7, FreeIPA 4.7.4, FreeIPA 4.8.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed on the server hosting the IPA server.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-10-30 09:50:01 UTC
A flaw was found in the way the internal function ber_scanf() was used in some components of the IPA server which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key, could cause the IPA server to crash or in some conditions cause arbitrary code to be executed on the server hosting the IPA server.

Comment 2 Huzaifa S. Sidhpurwala 2019-10-31 05:16:18 UTC
Technical details and analysis:

in ber_decode_krb5_key_data(), there is a call to ber_scanf to skip over unsupported sk2params:

if (retag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 2)) {
/* not supported yet, skip */
retag = ber_scanf(be, "t[x]}");
} else {

This 'ber_scanf' call is missing a '&tag' argument, meaning that it ends up overwriting memory at whatever address happens to be on the stack.

This might be a security issue since the tag that gets stored is user-controlled data, though the pointer getting stored to probably is not easy to control. 

Looking at the way pointers are arranged on the stack for this function, it may be difficult to overwrite a pointer and achieve code execution. Also the function is protected by SSP therefore RCE may be difficult to achieve.

Comment 3 Huzaifa S. Sidhpurwala 2019-10-31 05:23:19 UTC
Statement:

This flaw can be exploited by an unauthenticated attacker (PR:N) who could create a specially crafted "krbPrincipalKey" and send it to the IPA server (AV:N).  The attack is relatively easy to conduct (AC:L), since all the attacker requires is a string which is long enough to write beyond the limits of the buffer on the stack. User interaction is required for the attack (UI:N). End result in a crash in the IPA server causing denial of service or in some conditions may also result  in remote code execution with the permissions of the user running the IPA server (CIA:H).

Comment 5 Huzaifa S. Sidhpurwala 2019-11-01 10:38:49 UTC
*** Bug 1752973 has been marked as a duplicate of this bug. ***

Comment 6 Alexander Bokovoy 2019-11-26 13:55:02 UTC
Releases 4.6.7, 4.7.4, and 4.8.3 are done for FreeIPA. The release tarballs are available in https://releases.pagure.org/freeipa.

Comment 7 Huzaifa S. Sidhpurwala 2019-11-27 06:29:56 UTC
Upstream commit: https://pagure.io/freeipa/c/e11e73abc101361c0b66b3b958a64c9c8f6c608b.patch

Comment 8 Huzaifa S. Sidhpurwala 2019-11-27 06:30:00 UTC
Acknowledgments:

Name: Todd Lipcon (Cloudera)

Comment 9 Huzaifa S. Sidhpurwala 2019-11-27 06:31:04 UTC
Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 1777200]


Note You need to log in before you can comment on or make changes to this bug.