2230178 – (CVE-2023-36054) CVE-2023-36054 krb5: Denial of service through freeing uninitialized pointer

Bug 2230178 (CVE-2023-36054) - CVE-2023-36054 krb5: Denial of service through freeing uninitialized pointer

Summary: CVE-2023-36054 krb5: Denial of service through freeing uninitialized pointer

Keywords:
Status:	NEW
Alias:	CVE-2023-36054
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2229113 2230179 2230181 2230182
Blocks:	2230180
TreeView+	depends on / blocked

Reported:	2023-08-08 20:17 UTC by Pedro Sampaio
Modified:	2024-03-18 13:08 UTC (History)
CC List:	52 users (show)
Fixed In Version:	krb5 1.20.2, krb5 1.21.1
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in the _xdr_kadm5_principal_ent_rec() function in lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (krb5). This issue occurs due to lack of validation in the relationship between n_key_data and the key_data array count, leading to the freeing of uninitialized pointers. This may allow a remote authenticated attacker to send a specially crafted request that causes the kadmind process to crash, resulting in a denial of service (DoS).
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:6699	0	None	None	None	2023-11-07 08:22:40 UTC

Description Pedro Sampaio 2023-08-08 20:17:11 UTC

lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

References:

https://web.mit.edu/kerberos/www/advisories/
https://github.com/krb5/krb5/compare/krb5-1.20.1-final...krb5-1.20.2-final
https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd
https://github.com/krb5/krb5/compare/krb5-1.21-final...krb5-1.21.1-final

Comment 1 Pedro Sampaio 2023-08-08 20:17:41 UTC

Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 2230179]

Comment 7 errata-xmlrpc 2023-11-07 08:22:37 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6699 https://access.redhat.com/errata/RHSA-2023:6699

Note You need to log in before you can comment on or make changes to this bug.

acrosby
adudiak
agarcial
aoconnor
asegurap
asoldano
bbaranow
bdettelb
bmaxwell
brian.stansberry
caswilli
cdewolf
chazlett
darran.lofthouse
dhalasz
dkreling
dkuc
dosoudil
fjansen
fjuma
hkataria
ivassile
iweiss
jburrell
jmitchel
jplans
jrische
jsamir
jsherril
jtanner
kaycoth
kshier
lgao
mosmerov
msochure
mstefank
msvehla
nalin
nwallace
nweather
pjindal
pmackay
psegedy
rstancel
smaestri
stcannon
sthirugn
tcarlin
tom.jenkinson
vkrizan
vmugicag
yguenane