MITKRB5-SA-2022-001 MIT krb5 Security Advisory 2022-001 Original release: 2022-11-15 Last update: 2022-11-15 Topic: Vulnerabilities in PAC parsing CVE-2022-42898: integer overflow vulnerabilities in PAC parsing SUMMARY ======= Three integer overflow vulnerabilities have been discovered in the MIT krb5 library function krb5_parse_pac(). IMPACT ====== An authenticated attacker may be able to cause a KDC or kadmind process to crash by reading beyond the bounds of allocated memory, creating a denial of service. A privileged attacker may similarly be able to cause a Kerberos or GSS application service to crash. On a 32-bit platform, an authenticated attacker may be able to cause heap corruption in a KDC or kadmind process, possibly leading to remote code execution. A privileged attacker may similarly be able to cause heap corruption in a Kerberos or GSS application service running on a 32-bit platform. An attacker with the privileges of a cross-realm KDC may be able to extract secrets from a KDC process's memory by having them copied into the PAC of a new ticket. AFFECTED SOFTWARE ================= Kerberos and GSS application services using krb5-1.8 or later are affected. kadmind in krb5-1.8 or later is affected. The krb5-1.20 KDC is affected. The krb5-1.8 through krb5-1.19 KDC is affected when using the Samba or FreeIPA KDB modules. FIXES ===== * Upcoming releases in the krb5-1.19 and krb5-1.20 series will contain fixes for these vulnerabilities. * The patch for krb5-1.20.x is available at https://web.mit.edu/kerberos/advisories/2022-001-patch-r120.txt A PGP-signed patch is available at https://web.mit.edu/kerberos/advisories/2022-001-patch-r120.txt.asc * The patch for krb5-1.19.x is available at https://web.mit.edu/kerberos/advisories/2022-001-patch-r119.txt A PGP-signed patch is available at https://web.mit.edu/kerberos/advisories/2022-001-patch-r119.txt.asc REFERENCES ========== This announcement is posted at: https://web.mit.edu/kerberos/advisories/MITKRB5-SA-2022-001.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: https://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: https://web.mit.edu/kerberos/index.html CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42898 ACKNOWLEDGMENTS =============== One of the integer overflow vulnerabilities was discovered by oss-fuzz. CONTACT ======= The MIT Kerberos Team security contact address is . DETAILS ======= A PAC (Privilege Attribute Certificate) is a Kerberos authorization data type specified by Microsoft. PACs are parsed by application services and KDCs after the PAC is extracted from a decrypted ticket. Attacking an application service requires a high level of privilege, as the attacker must possess the long-term key of the service to insert a crafted invalid PAC into a ticket that the service can decrypt. To attack a KDC or kadmind, the attacker must possess the long-term key of a principal in the KDC realm, but does not require a high level of privilege. There are three potential overflow vulnerabilities in krb5_pac_parse(): 1. krb5_pac_parse() reads a buffer count from the serialized PAC, which can be any unsigned 32-bit value. It then computes a header length from the buffer count, and returns an error if the header length is larger than the serialized PAC length. If the buffer count is 2^28 or higher, the header length computation will overfow, and the result may be less than or equal to the PAC length. If the header length check is defeated in this manner, krb5_pac_parse() will attempt to parse metadata for at least 2^28 buffers, exceeding the bounds of the serialized PAC. In most cases, parsing beyond the end of the PAC will encounter invalid metadata and the parse operation will fail, with no harmful consequences. In some cases the process may be terminated with a segmentation violation. 2. krb5_pac_parse() computes a reallocation size based on the buffer count. If the buffer count is 2^28 or higher, the size computation will overflow on 32-bit platforms, and the function will allocate insufficient space to store buffer metadata. On 64-bit platforms the size computation cannot overflow. An insufficient storage allocation will result in heap corruption when buffer metadata is read. The attacker has a significant degree of control over what data is written beyond the end of the allocated heap region. 3. For each buffer, krb5_pac_parse() reads a 64-bit offset and a 32-bit length. The function returns an error if the sum of the offset and length exceeds the length of the serialized PAC. If the sum exceeds 2^64, the offset and length may be erroneously allowed. A later read of the buffer may cause the process to crash. If it does not, the buffer contents may contain secrets located in process memory. A KDC may copy the invalid buffer into the PAC for a new ticket, possibly revealing secret information to the attacker. However, a high level of privilege would be required to conduct such an attack, as the PAC must be signed by a KDC within the local realm or a KDC from a realm that the local realm is directly connected to. GSS and Kerberos application services using krb5-1.8 or later will parse a PAC when an AP-REQ or Kerberos GSS initiator token is received from a client, if a PAC is contained within the decrypted Kerberos ticket. To exploit the aforementioned vulnerabilities, an attacker must be able to construct a ticket that the application service can decrypt, containing a crafted invalid PAC encoding. Constructing such a ticket requires possession of a key contained within the service's keytab file, implying that the attacker already has the privileges of the application service or the KDC of the service realm. kadmind is a GSS application service with the special property that it can decrypt a ticket encrypted to in any service key in the database. After authentication, it checks that the target service has an appropriate name, but by that time any PAC in the received ticket has already been parsed. Therefore, it could be attacked by any attacker who possesses the long-term key of any principal that does not have the DISALLOW_SVR or DISALLOW_ALL_TIX flags set. The krb5-1.20 KDC.20 will parse a PAC if one is contained within a TGS request header ticket or second ticket. As with kadmind, such a ticket could be crafted using the long-term key of any principal that does not have the DISALLOW_SVR or DISALLOW_ALL_TIX flags set. The KDC prior to krb5-1.20 does not parse PACs unless it is used with a KDB module that implements PACs, such as the Samba or FreeIPA KDB modules. REVISION HISTORY ================ 2022-11-15 original release Copyright (C) 2022 Massachusetts Institute of Technology