Bug 1766920 (CVE-2019-14867) - CVE-2019-14867 ipa: Denial of service in IPA server due to wrong use of ber_scanf()
Summary: CVE-2019-14867 ipa: Denial of service in IPA server due to wrong use of ber_s...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14867
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1752973 (view as bug list)
Depends On: 1767300 1767302 1767303 1767304 1777200 1789681
Blocks: 1766921
TreeView+ depends on / blocked
 
Reported: 2019-10-30 09:50 UTC by Dhananjay Arunesh
Modified: 2020-04-01 09:30 UTC (History)
22 users (show)

Fixed In Version: FreeIPA 4.6.7, FreeIPA 4.7.4, FreeIPA 4.8.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed on the server hosting the IPA server.
Clone Of:
Environment:
Last Closed: 2020-02-04 20:09:39 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0378 None None None 2020-02-04 19:32:15 UTC
Red Hat Product Errata RHSA-2020:1269 None None None 2020-04-01 09:30:01 UTC

Description Dhananjay Arunesh 2019-10-30 09:50:01 UTC
A flaw was found in the way the internal function ber_scanf() was used in some components of the IPA server which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key, could cause the IPA server to crash or in some conditions cause arbitrary code to be executed on the server hosting the IPA server.

Comment 2 Huzaifa S. Sidhpurwala 2019-10-31 05:16:18 UTC
Technical details and analysis:

in ber_decode_krb5_key_data(), there is a call to ber_scanf to skip over unsupported sk2params:

if (retag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 2)) {
/* not supported yet, skip */
retag = ber_scanf(be, "t[x]}");
} else {

This 'ber_scanf' call is missing a '&tag' argument, meaning that it ends up overwriting memory at whatever address happens to be on the stack.

This might be a security issue since the tag that gets stored is user-controlled data, though the pointer getting stored to probably is not easy to control. 

Looking at the way pointers are arranged on the stack for this function, it may be difficult to overwrite a pointer and achieve code execution. Also the function is protected by SSP therefore RCE may be difficult to achieve.

Comment 3 Huzaifa S. Sidhpurwala 2019-10-31 05:23:19 UTC
Statement:

This flaw can be exploited by an unauthenticated attacker (PR:N) who could create a specially crafted "krbPrincipalKey" and send it to the IPA server (AV:N).  The attack is relatively easy to conduct (AC:L), since all the attacker requires is a string which is long enough to write beyond the limits of the buffer on the stack. User interaction is required for the attack (UI:N). End result in a crash in the IPA server causing denial of service or in some conditions may also result  in remote code execution with the permissions of the user running the IPA server (CIA:H).

Comment 5 Huzaifa S. Sidhpurwala 2019-11-01 10:38:49 UTC
*** Bug 1752973 has been marked as a duplicate of this bug. ***

Comment 6 Alexander Bokovoy 2019-11-26 13:55:02 UTC
Releases 4.6.7, 4.7.4, and 4.8.3 are done for FreeIPA. The release tarballs are available in https://releases.pagure.org/freeipa.

Comment 7 Huzaifa S. Sidhpurwala 2019-11-27 06:29:56 UTC
Upstream commit: https://pagure.io/freeipa/c/e11e73abc101361c0b66b3b958a64c9c8f6c608b.patch

Comment 8 Huzaifa S. Sidhpurwala 2019-11-27 06:30:00 UTC
Acknowledgments:

Name: Todd Lipcon (Cloudera)

Comment 9 Huzaifa S. Sidhpurwala 2019-11-27 06:31:04 UTC
Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 1777200]

Comment 12 errata-xmlrpc 2020-02-04 19:32:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0378 https://access.redhat.com/errata/RHSA-2020:0378

Comment 13 Product Security DevOps Team 2020-02-04 20:09:39 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14867

Comment 16 errata-xmlrpc 2020-04-01 09:29:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:1269 https://access.redhat.com/errata/RHSA-2020:1269


Note You need to log in before you can comment on or make changes to this bug.