-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2009-001 MIT krb5 Security Advisory 2009-001 Original release: 2009-04-07 Last update: 2009-04-07 Topic: multiple vulnerabilities in SPNEGO, ASN.1 decoder [CVE-2009-0844] SPNEGO implementation can read beyond buffer end CVSSv2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 8.5 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.7 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed [CVE-2009-0845] SPNEGO implementation can dereference a null pointer CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 CVSSv2 Temporal Score: 6.1 [CVE-2009-0847] ASN.1 decoder incorrect length validation CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 CVSSv2 Temporal Score: 6.1 See DETAILS for the expanded CVSSv2 metrics for CVE-2009-0845 and CVE-2009-0847. SUMMARY ======= These are implementation vulnerabilities in MIT krb5, and not vulnerabilities in the Kerberos protocol. [CVE-2009-0844] The MIT krb5 implementation of the SPNEGO GSS-API mechanism can read beyond the end of a network input buffer. This can cause a GSS-API application to crash by reading from invalid address space. Under theoretically possible but very unlikely conditions, a small information leak may occur. We believe that no successful exploit exists that could induce an information leak. [CVE-2009-0845] The MIT krb5 implementation of the SPNEGO GSS-API mechanism can dereference a null pointer under error conditions. This can cause a GSS-API application to crash. This vulnerability was previously publicly disclosed. [CVE-2009-0847] MIT krb5 can perform an incorrect length check inside an ASN.1 decoder. This only presents a problem in the PK-INIT code paths. In the MIT krb5 KDC or kinit program, this could lead to spurious malloc() failures or, under some conditions, program crash. We have heard reports of the spurious malloc() failures, but nobody has yet made the publicly made the connection to a security issue. IMPACT ====== [CVE-2009-0844] An unauthenticated, remote attacker could cause a GSS-API application, including the Kerberos administration daemon (kadmind) to crash. Under extremely unlikely conditions, there may be a theoretical possibility of a small information disclosure. [CVE-2009-0845] An unauthenticated, remote attacker could cause a GSS-API application, including the Kerberos administration daemon (kadmind) to crash. [CVE-2009-0847] An unauthenticated, remote attacker could cause a KDC or kinit program to crash. AFFECTED SOFTWARE ================= [CVE-2009-0844 CVE-2009-0845] * kadmind in MIT releases krb5-1.5 and later * FTP daemon in MIT releases krb5-1.5 and later * Third-party software using the GSS-API library from MIT krb5 releases krb5-1.5 and later * MIT releases prior to krb5-1.5 did not contain the vulnerable code. [CVE-2009-0847] * The kinit program and the KDC from MIT krb5 release krb5-1.6.3. Prior releases contained the vulnerable code, but the vulnerability was masked due to operations performed by other code. FIXES ===== * The upcoming krb5-1.7 and krb5-1.6.4 releases will contain fixes for these vulnerabilities. * Apply the patch, available at http://web.mit.edu/kerberos/advisories/2009-001-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2009-001-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-001.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2009-0844 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0844 CVE: CVE-2009-0845 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0845 CVE: CVE-2009-0847 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0847 CERT: VU#662091 http://www.kb.cert.org/vuls/id/662091 http://krbdev.mit.edu/rt/Ticket/Display.html?id=6402 ACKNOWLEDGMENTS =============== CVE-2009-0844 was discovered by Product Security at Apple, Inc. We thank Apple and Sun for suggesting improvements to the patches. CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/D9058C24 2009-01-26 [expires: 2010-02-01] uid MIT Kerberos Team Security Contact DETAILS ======= [CVE-2009-0844] The get_input_token() function in the SPNEGO implementation can read beyond the end of a network input buffer. A length encoding that decodes to a value exceeding the number of remaining bytes in the input buffer will cause the function to copy memory past the end of the input buffer. [CVE-2009-0845] CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.1 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed The spnego_gss_accept_sec_context() function in the GSS-API SPNEGO implementation can dereference a null pointer under error conditions. Cleanup code in this function can call the helper function make_spnego_tokenTarg_msg() without first confirming that the value of the "sc" variable is not null, thus causing a null pointer dereference. [CVE-2009-0847] CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.1 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed The asn1buf_imbed() function incorrectly checks lengths by comparing pointers after performing pointer arithmetic using an unchecked input length. In addition, the functions asn1buf_remove_charstring() and asn1buf_remove_octetstring() rely on an invariant that is violated when asn1buf_imbed() incorrectly validates lengths, performing pointer arithmetic using the invalid length. Consequently, malloc() receives a very large number as its argument. If the malloc() call somehow succeeds, the copy from the input buffer is likely to cross unmapped address space, causing a crash. Prior to the implementation of PK-INIT, the vulnerability was masked because no ASN.1 decoder used asn1buf_remove_charstring() or asn1buf_remove_octetstring() immediately following the use of asn1buf_imbed(). Protocol elements of PK-INIT require this sequence of calls in the decoder, unmasking the latent vulnerability. REVISION HISTORY ================ 2009-04-07 original release Copyright (C) 2009 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iQCVAgUBSduVZabDgE/zdoE9AQI9OgP+OymYyzsFHkUcUWjEVtiFPxKCYh6uZvIj foqgws9Kv4/TZ44SsJJLURCBgBthm/2coWwlaxaFdDgzXxH/KUW5J9UEBy/rraNx tLh9CFcuP/uG12N9+Hp9BmlO8euu60cMKRlhAKUuOLTLj74RPMYIID6TE4VgE0g8 UKIvMyadl2I= =OU63 -----END PGP SIGNATURE-----