-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 MITKRB5-SA-2014-001 MIT krb5 Security Advisory 2014-001 Original release: 2014-08-07 Last update: 2014-08-07 Topic: Buffer overrun in kadmind with LDAP backend CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 8.5 Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 6.7 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= In MIT krb5, when kadmind is configured to use LDAP for the KDC database, an authenticated remote attacker can cause it to perform an out-of-bounds write (buffer overflow). This is not a protocol vulnerability. Using LDAP for the KDC database is a non-default configuration for the KDC. IMPACT ====== Historically, it has been possible to convert an out-of-bounds write into remote code execution in some cases, though the necessary exploits must be tailored to the individual application and are usually quite complicated. Depending on the allocated length of the array, an out-of-bounds write may also cause a segmentation fault and/or application crash. AFFECTED SOFTWARE ================= * The kadmind daemon from MIT krb5 releases 1.6 to 1.12.2, when configured to use the LDAP backend for the KDB, is vulnerable. Releases of MIT krb5 prior to 1.6 did not provide the ability to use LDAP for the KDB backend. FIXES ===== * Workaround: disable or restrict access to kadmind until a patched version can be installed. This will prevent principal creation, password changes, keytab updates, and other administrative operations. * The krb5-1.12.2 and krb5-1.11.6 releases will contain a fix for this vulnerability. diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index ce851ea..df5934c 100644 - --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -456,7 +456,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data, j++; last = i + 1; - - currkvno = key_data[i].key_data_kvno; + if (i < n_key_data - 1) + currkvno = key_data[i + 1].key_data_kvno; } } ret[num_versions] = NULL; This patch is also available at http://web.mit.edu/kerberos/advisories/2014-001-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2014-001-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2014-001.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2014-4345 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4345 ACKNOWLEDGMENTS =============== This off-by-one error was reported by Tomas Kuthan as github pull request #181 and recognized as a vulnerability by Greg Hudson. CONTACT ======= The MIT Kerberos Team security contact address is <krbcore-security@xxxxxxx>. When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/C436A9C6 2014-01-07 [expires: 2015-02-01] Key fingerprint = 1849 02FF 0CA8 A385 F28D 2E7E 2AF0 C1EA C436 A9C6 uid MIT Kerberos Team Security Contact <krbcore-security@xxxxxxx> DETAILS ======= The 'cpw -keepold' functionality allows for the existing keys to be retained at password-change (or keytab-change) time, instead of being discarded as usual. An array must be allocated to store all the old keys, as well as the new keys and a NULL terminator. In normal operation, all the keys for a single kvno will share an array slot. An off-by-one error while copying key information to the new array results in keys sharing a common kvno being written to different array buckets, with the first key of a kvno betting a single bucket, and the remaining keys getting the next bucket. After sufficient iterations, the extra writes extend past the end of the (NULL-terminated) array. The NULL terminator is always written after the end of the loop, so no out-of-bounds data is read, it is only written. REVISION HISTORY ================ 2014-08-07 original release Copyright (C) 2014 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGgBAEBCAAGBQJT4/duAAoJECjZpvNk63USrnQMH2t7UgKODNopFrkpAU7Tn0LH NFhMSHGLbAe6+K/wcvqlmuNI1lvcqTGu8/U2cIOw+E4m+MiUpR8gFQd5UP8+wnpJ mCGhKdvCSgYnxoru06NSvisF4fAm8qij5WSEA7/CSqOSCmAVsM8VOt/nom+0tZUw 3u7dxfGpvmLEBBNlXiuukHmT7HQvQomqltbwUyyBuBp8S07G1tCWQr5Ei+aUnM5l vxSoS50ek28nd9TfGEQ3hTYpwQEJw9WVWM4AZG7HDVuEhdexI5RD0r6aE2Tq3Tnp 01htIs9XQxcepV3L84P4F0WXW1rCQjnErTf0ywzFL9sUOzT7CiBQIaJ0m/nWRkz/ UVubpezV8njZ65tCoWX/GYdhwUgc09LMI0GDdBZ5TPmWvpQp7REwFMYVBLjNg/7S qYzXl8X5jRABUJQxga+G3XenFP+vKIvS4DqqHT3gn7GNdwER4EWl5NAaaNc7yzAN 6g+13gyJcLOiSmT4p3pnCU8bRSHGKj3DnulyyiCj9coxbPc= =GLjL -----END PGP SIGNATURE-----