1901041 – (CVE-2020-28196) CVE-2020-28196 krb5: unbounded recursion via an ASN.1-encoded Kerberos message in lib/krb5/asn.1/asn1_encode.c may lead to DoS

Bug 1901041 (CVE-2020-28196) - CVE-2020-28196 krb5: unbounded recursion via an ASN.1-encoded Kerberos message in lib/krb5/asn.1/asn1_encode.c may lead to DoS

Summary: CVE-2020-28196 krb5: unbounded recursion via an ASN.1-encoded Kerberos messag...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-28196
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1902657 1906492
Blocks:	1901042
TreeView+	depends on / blocked

Reported:	2020-11-24 10:55 UTC by Marian Rehak
Modified:	2021-06-16 15:49 UTC (History)
CC List:	24 users (show)
Fixed In Version:	krb5 1.17.2, krb5 1.18.3
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in krb5. MIT Kerberos 5 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.
Clone Of:
Environment:
Last Closed:	2021-05-18 14:36:14 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2020-11-24 10:55:14 UTC

MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.

Upstream Reference:

https://krbdev.mit.edu/rt/Ticket/Display.html?id=8959

Comment 1 Stefan Cornelius 2020-11-24 12:30:54 UTC

Patch:
https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfd

Comment 5 Sandro Bonazzola 2020-12-02 08:47:55 UTC

Any plan to get this fixed in RHEL 8? I see 1.18.2 shipped in RHEL 8.3 so it should be affected right?

Comment 12 errata-xmlrpc 2021-05-18 13:32:17 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1593 https://access.redhat.com/errata/RHSA-2021:1593

Comment 13 Product Security DevOps Team 2021-05-18 14:36:14 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-28196

Comment 14 errata-xmlrpc 2021-06-03 10:24:21 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:2239 https://access.redhat.com/errata/RHSA-2021:2239

Note You need to log in before you can comment on or make changes to this bug.

csutherl
dfediuck
dpal
eedri
fdvorak
gzaronik
jclere
jplans
jwon
krathod
lgao
mbabacek
mgoldboi
michal.skrivanek
mturk
myarboro
nalin
pjindal
rharwood
sbonazzo
scorneli
security-response-team
sherold
weli