From tlyu at MIT.EDU Tue Apr 7 14:10:18 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 07 Apr 2009 14:10:18 -0400 Subject: MITKRB5-SA-2009-001: multiple vulnerabilities in SPNEGO, ASN.1 decoder [CVE-2009-0844 CVE-2009-0845 CVE-2009-0847] Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2009-001 MIT krb5 Security Advisory 2009-001 Original release: 2009-04-07 Last update: 2009-04-07 Topic: multiple vulnerabilities in SPNEGO, ASN.1 decoder [CVE-2009-0844] SPNEGO implementation can read beyond buffer end CVSSv2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 8.5 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.7 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed [CVE-2009-0845] SPNEGO implementation can dereference a null pointer CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 CVSSv2 Temporal Score: 6.1 [CVE-2009-0847] ASN.1 decoder incorrect length validation CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 CVSSv2 Temporal Score: 6.1 See DETAILS for the expanded CVSSv2 metrics for CVE-2009-0845 and CVE-2009-0847. SUMMARY ======= These are implementation vulnerabilities in MIT krb5, and not vulnerabilities in the Kerberos protocol. [CVE-2009-0844] The MIT krb5 implementation of the SPNEGO GSS-API mechanism can read beyond the end of a network input buffer. This can cause a GSS-API application to crash by reading from invalid address space. Under theoretically possible but very unlikely conditions, a small information leak may occur. We believe that no successful exploit exists that could induce an information leak. [CVE-2009-0845] The MIT krb5 implementation of the SPNEGO GSS-API mechanism can dereference a null pointer under error conditions. This can cause a GSS-API application to crash. This vulnerability was previously publicly disclosed. [CVE-2009-0847] MIT krb5 can perform an incorrect length check inside an ASN.1 decoder. This only presents a problem in the PK-INIT code paths. In the MIT krb5 KDC or kinit program, this could lead to spurious malloc() failures or, under some conditions, program crash. We have heard reports of the spurious malloc() failures, but nobody has yet made the publicly made the connection to a security issue. IMPACT ====== [CVE-2009-0844] An unauthenticated, remote attacker could cause a GSS-API application, including the Kerberos administration daemon (kadmind) to crash. Under extremely unlikely conditions, there may be a theoretical possibility of a small information disclosure. [CVE-2009-0845] An unauthenticated, remote attacker could cause a GSS-API application, including the Kerberos administration daemon (kadmind) to crash. [CVE-2009-0847] An unauthenticated, remote attacker could cause a KDC or kinit program to crash. AFFECTED SOFTWARE ================= [CVE-2009-0844 CVE-2009-0845] * kadmind in MIT releases krb5-1.5 and later * FTP daemon in MIT releases krb5-1.5 and later * Third-party software using the GSS-API library from MIT krb5 releases krb5-1.5 and later * MIT releases prior to krb5-1.5 did not contain the vulnerable code. [CVE-2009-0847] * The kinit program and the KDC from MIT krb5 release krb5-1.6.3. Prior releases contained the vulnerable code, but the vulnerability was masked due to operations performed by other code. FIXES ===== * The upcoming krb5-1.7 and krb5-1.6.4 releases will contain fixes for these vulnerabilities. * Apply the patch, available at http://web.mit.edu/kerberos/advisories/2009-001-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2009-001-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-001.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2009-0844 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0844 CVE: CVE-2009-0845 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0845 CVE: CVE-2009-0847 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0847 CERT: VU#662091 http://www.kb.cert.org/vuls/id/662091 http://krbdev.mit.edu/rt/Ticket/Display.html?id=6402 ACKNOWLEDGMENTS =============== CVE-2009-0844 was discovered by Product Security at Apple, Inc. We thank Apple and Sun for suggesting improvements to the patches. CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/D9058C24 2009-01-26 [expires: 2010-02-01] uid MIT Kerberos Team Security Contact DETAILS ======= [CVE-2009-0844] The get_input_token() function in the SPNEGO implementation can read beyond the end of a network input buffer. A length encoding that decodes to a value exceeding the number of remaining bytes in the input buffer will cause the function to copy memory past the end of the input buffer. [CVE-2009-0845] CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.1 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed The spnego_gss_accept_sec_context() function in the GSS-API SPNEGO implementation can dereference a null pointer under error conditions. Cleanup code in this function can call the helper function make_spnego_tokenTarg_msg() without first confirming that the value of the "sc" variable is not null, thus causing a null pointer dereference. [CVE-2009-0847] CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.1 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed The asn1buf_imbed() function incorrectly checks lengths by comparing pointers after performing pointer arithmetic using an unchecked input length. In addition, the functions asn1buf_remove_charstring() and asn1buf_remove_octetstring() rely on an invariant that is violated when asn1buf_imbed() incorrectly validates lengths, performing pointer arithmetic using the invalid length. Consequently, malloc() receives a very large number as its argument. If the malloc() call somehow succeeds, the copy from the input buffer is likely to cross unmapped address space, causing a crash. Prior to the implementation of PK-INIT, the vulnerability was masked because no ASN.1 decoder used asn1buf_remove_charstring() or asn1buf_remove_octetstring() immediately following the use of asn1buf_imbed(). Protocol elements of PK-INIT require this sequence of calls in the decoder, unmasking the latent vulnerability. REVISION HISTORY ================ 2009-04-07 original release Copyright (C) 2009 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iQCVAgUBSduVZabDgE/zdoE9AQI9OgP+OymYyzsFHkUcUWjEVtiFPxKCYh6uZvIj foqgws9Kv4/TZ44SsJJLURCBgBthm/2coWwlaxaFdDgzXxH/KUW5J9UEBy/rraNx tLh9CFcuP/uG12N9+Hp9BmlO8euu60cMKRlhAKUuOLTLj74RPMYIID6TE4VgE0g8 UKIvMyadl2I= =OU63 -----END PGP SIGNATURE----- From tlyu at MIT.EDU Tue Apr 7 14:10:25 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 07 Apr 2009 14:10:25 -0400 Subject: MITKRB5-SA-2009-002: ASN.1 decoder frees uninitialized pointer [CVE-2009-0846] Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2009-002 MIT krb5 Security Advisory 2009-002 Original release: 2009-04-07 Last update: 2009-04-07 Topic: ASN.1 decoder frees uninitialized pointer [CVE-2009-0846] ASN.1 GeneralizedTime decoder can free uninitialized pointer CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 10 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 7.8 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= [CVE-2009-0846] An ASN.1 decoder can free an uninitialized pointer when decoding an invalid encoding. This can cause a Kerberos application to crash, or, under theoretically possible but unlikely circumstances, execute arbitrary malicious code. No exploit is known to exist that would cause arbitrary code execution. This is an implementation vulnerability in MIT krb5, and is not a vulnerability in the Kerberos protocol. IMPACT ====== [CVE-2009-0846] An unauthenticated, remote attacker could cause a Kerberos application, including the Kerberos administration daemon (kadmind) or the KDC to crash, and possibly to execute arbitrary code. Compromise of the KDC or kadmind can compromise the Kerberos key database and host security on the KDC host. (The KDC and kadmind typically run as root.) We believe this scenario is highly unlikely, given the details of the vulnerability. Third-party applications using MIT krb5 may also be vulnerable. MITIGATING FACTORS ================== While it is theoretically possible for an attacker to execute arbitrary code by exploiting this vulnerability, it is believed to be more difficult than exploiting other sorts of memory management flaws such as double-free or heap buffer overflow events. Also, in order to exploit this vulnerability to remotely execute code, an attacker must ensure that the uninitialized pointer points to valid address space, otherwise a null-dereference crash will typically occur. Some operating systems have hardened malloc implementations that are not susceptible to this problem. These operating systems are still vulnerable to a denial of service if the uninitialized pointer points to invalid address space. AFFECTED SOFTWARE ================= * All MIT krb5 releases * Third-party software using the krb5 library from MIT krb5 releases FIXES ===== * The upcoming krb5-1.7 and krb5-1.6.4 releases will contain fixes for this vulnerability. * Apply the patch diff --git a/src/lib/krb5/asn.1/asn1_decode.c b/src/lib/krb5/asn.1/asn1_decode.c index aa4be32..5f7461d 100644 - --- a/src/lib/krb5/asn.1/asn1_decode.c +++ b/src/lib/krb5/asn.1/asn1_decode.c @@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val) if(length != 15) return ASN1_BAD_LENGTH; retval = asn1buf_remove_charstring(buf,15,&s); + if (retval) return retval; /* Time encoding: YYYYMMDDhhmmssZ */ if(s[14] != 'Z') { free(s); diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c index 0ff9343..1c427d1 100644 - --- a/src/tests/asn.1/krb5_decode_test.c +++ b/src/tests/asn.1/krb5_decode_test.c @@ -485,6 +485,22 @@ int main(argc, argv) ktest_destroy_keyblock(&(ref.subkey)); ref.seq_number = 0; decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part); + + retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40"); + if (retval) { + com_err("krb5_decode_test", retval, "while parsing"); + exit(1); + } + retval = decode_krb5_ap_rep_enc_part(&code, &var); + if (retval != ASN1_OVERRUN) { + printf("ERROR: "); + } else { + printf("OK: "); + } + printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n"); + krb5_free_data_contents(test_context, &code); + krb5_free_ap_rep_enc_part(test_context, var); + ktest_empty_ap_rep_enc_part(&ref); } This patch is also available at http://web.mit.edu/kerberos/advisories/2009-002-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2009-002-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-002.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2009-0846 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0846 CERT: VU#662091 http://www.kb.cert.org/vuls/id/662091 CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/D9058C24 2009-01-26 [expires: 2010-02-01] uid MIT Kerberos Team Security Contact DETAILS ======= The asn1_decode_generaltime() function, which decodes DER encodings of the ASN.1 type "GeneralizedTime", can free an uninitialized pointer. This can cause a Kerberos application to crash, or, under theoretically possible but unlikely circumstances, execute arbitrary malicious code. No exploit is known to exist that would cause arbitrary code execution. REVISION HISTORY ================ 2009-04-07 original release Copyright (C) 2009 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iQCVAgUBSduVcabDgE/zdoE9AQI+OgQApBBzBcQYG2GfuPIvZhwhJlvaWzSAQpb4 lYgScNNihKVs+xQF8vE5omSXSC/uaRkb5pGd0sa+LAmNCCjwNGT13f5TB6fAKTwS MRxmJ6whZGTz+3myihBa/pac14hE0q4XTRw/BgCv4lL1B94/K9FyAFSsAWkkV/Mr H1P8smh5svk= =z9B1 -----END PGP SIGNATURE----- From tlyu at MIT.EDU Tue Jun 2 11:24:59 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 02 Jun 2009 11:24:59 -0400 Subject: krb5-1.7 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.7. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.7 ================================= You may retrieve the Kerberos 5 Release 1.7 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.7 release is: http://web.mit.edu/kerberos/krb5-1.7/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: http://www.kerberos.org/ DES transition ============== The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release will contain measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, but will default to "false" in the future. Additional migration aids are planned for future releases. Major changes in 1.7 ==================== The krb5-1.7 release contains a large number of changes, featuring improvements in the following broad areas: * Compatibility with Microsoft Windows * Administrator experience * User experience * Code quality * Protocol evolution Compatibility with Microsoft Windows: * Follow client principal referrals in the client library when obtaining initial tickets. * KDC can issue realm referrals for service principals based on domain names. * Extensions supporting DCE RPC, including three-leg GSS context setup and unencapsulated GSS tokens inside SPNEGO. * Microsoft GSS_WrapEX, implemented using the gss_iov API, which is similar to the equivalent SSPI functionality. This is needed to support some instances of DCE RPC. * NTLM recognition support in GSS-API, to facilitate dropping in an NTLM implementation for improved compatibility with older releases of Microsoft Windows. * KDC support for principal aliases, if the back end supports them. Currently, only the LDAP back end supports aliases. * Support Microsoft set/change password (RFC 3244) protocol in kadmind. * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which allows a GSS application to request credential delegation only if permitted by KDC policy. Administrator experience: * Install header files for the administration API, allowing third-party software to manipulate the KDC database. * Incremental propagation support for the KDC database. * Master key rollover support, making it easier to change master key passwords or encryption types. * New libdefaults configuration variable "allow_weak_crypto". NOTE: Currently defaults to "true", but may default to "false" in a future release. Setting this variable to "false" will have the effect of removing weak enctypes (currently defined to be all single-DES enctypes) from permitted_enctypes, default_tkt_enctypes, and default_tgs_enctypes. User experience: * Provide enhanced GSS-API error message including supplementary details about error conditions. * In the replay cache, use a hash over the complete ciphertext to avoid false-positive replay indications. Code quality: * Replace many uses of "unsafe" string functions. While most of these instances were innocuous, they impeded efficient automatic and manual static code analysis. * Fix many instances of resource leaks and similar bugs identified by static analysis tools. * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 -- various vulnerabilities in SPNEGO and ASN.1 code. Protocol evolution: * Remove support for version 4 of the Kerberos protocol (krb4). * Encryption algorithm negotiation (RFC 4537), allowing clients and application services to negotiate stronger encryption than their KDC supports. * Flexible Authentication Secure Tunneling (FAST), a preauthentiation framework that can protect the AS exchange from dictionary attacks on weak user passwords. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAkolRFIACgkQSO8fWy4vZo51VwCg2KSwpAhTACsyFSNES1YBdf+P K9YAnj1UfrA/n/mv2Ejl+813aZcjluPT =YKGy -----END PGP SIGNATURE-----