-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2011-007 MIT krb5 Security Advisory 2011-007 Original release: 2011-12-06 Last update: 2011-12-06 Topic: KDC null pointer dereference in TGS handling CVE-2011-1530 KDC null pointer dereference in TGS handling CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:C/E:H/RL:OF/RC:C CVSSv2 Base Score: 6.8 Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 5.9 Exploitability: High Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= In releases krb5-1.9 and later, the KDC can crash due to a null pointer dereference in code that handles TGS (Ticket Granting Service) requests. The trigger condition is trivial to produce using unmodified client software, but requires the ability to authenticate as a principal in the KDC's realm. IMPACT ====== An authenticated remote attacker can crash a KDC via null pointer dereference. AFFECTED SOFTWARE ================= * The KDC in krb5-1.9 and later is vulnerable. Earlier releases predate the internal interface changes that led to this vulnerability. FIXES ===== * Workaround: restart the KDC when it crashes, possibly using an automated monitoring process. * Apply the patch: diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in index f46cad3..102fbaa 100644 - --- a/src/kdc/Makefile.in +++ b/src/kdc/Makefile.in @@ -67,6 +67,7 @@ check-unix:: rtest check-pytests:: $(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS) install:: $(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index c169c54..840a2ef 100644 - --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -243,7 +243,8 @@ tgt_again: if (!tgs_1 || !data_eq(*server_1, *tgs_1)) { errcode = find_alternate_tgs(request, &server); firstpass = 0; - - goto tgt_again; + if (errcode == 0) + goto tgt_again; } } status = "UNKNOWN_SERVER"; diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py new file mode 100644 index 0000000..1760bcd - --- /dev/null +++ b/src/kdc/t_emptytgt.py @@ -0,0 +1,8 @@ +#!/usr/bin/python +from k5test import * + +realm = K5Realm(start_kadmind=False, create_host=False) +output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1) +if 'not found in Kerberos database' not in output: + fail('TGT lookup for empty realm failed in unexpected way') +success('Empty tgt lookup.') This patch is also available at http://web.mit.edu/kerberos/advisories/2011-007-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2011-007-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-007.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2011-1530 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1530 ACKNOWLEDGMENTS =============== Simo Sorce discovered this vulnerability. CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/56CD8F76 2010-12-29 [expires: 2012-02-01] uid MIT Kerberos Team Security Contact DETAILS ======= The process_tgs_req() function in the KDC has logic that attempts to find an alternative service principal if the service principal in the client's TGS-REQ is unknown. If the find_alternate_tgs() helper function returns an error that is not KRB5_KDB_NOENTRY, it leaves the server variable holding a null pointer. The process_tgs_req() function improperly ignores that error, and proceeds to call functions that dereference the null pointer. Prior to krb5-1.9, the krb5_db_get_principal() function and related interfaces had output parameters "more" and "nprincs". The krb5-1.9 release includes changes to these interfaces so that they no longer have those outputs. Prior to krb5-1.9, the find_alternate_tgs() function in the KDC had a void return type, and indicated failure by setting its "more" and "nprincs" outputs appropriately. Its interface changed in krb5-1.9 to instead return an error code, with corresponding changes to process_tgs_req(); these changes to process_tgs_req() were flawed and allow errors other than KRB5_KDB_NOENTRY to cause a null pointer dereference. The vulnerable code executes after the KDC authenticates the request, so an attacker must have first obtained valid initial Kerberos credentials for the target realm. REVISION HISTORY ================ 2011-12-06 original release Copyright (C) 2011 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iQCVAgUBTt5mYabDgE/zdoE9AQIuKAQA0K1YUeTKjEIVjEIufpTanNoipQiWRNCE alUjkcxQeD3yFK8LU6yKcs0CdTI60FDst3788tUtoGDdwpnbc90Rv8EID00VtgEc 0rI4Nfe32MxP/UlNNVRinWkwtDLWeh1gKQOPXAjeapKQcWAFB3tM/haRnDgCu49I snM0jQSBFgA= =FK9G -----END PGP SIGNATURE-----