krb5 commit [krb5-1.11]: Fix double-free in SPNEGO [CVE-2014-4343]

Fri Feb 6 18:44:41 EST 2015

https://github.com/krb5/krb5/commit/32f6c3feba6c70f45ce2d29257bfe8c2dc2a0804
commit 32f6c3feba6c70f45ce2d29257bfe8c2dc2a0804
Author: David Woodhouse <David.Woodhouse at intel.com>
Date:   Tue Jul 15 12:54:15 2014 -0400

    Fix double-free in SPNEGO [CVE-2014-4343]
    
    In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
    pointer sc->internal_mech became an alias into sc->mech_set->elements,
    which should be considered constant for the duration of the SPNEGO
    context.  So don't free it.
    
    CVE-2014-4343:
    
    In MIT krb5 releases 1.10 and newer, an unauthenticated remote
    attacker with the ability to spoof packets appearing to be from a
    GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
    (clients) which are using the SPNEGO mechanism, by returning a
    different underlying mechanism than was proposed by the initiator.  At
    this stage of the negotiation, the acceptor is unauthenticated, and
    the acceptor's response could be spoofed by an attacker with the
    ability to inject traffic to the initiator.
    
    Historically, some double-free vulnerabilities can be translated into
    remote code execution, though the necessary exploits must be tailored
    to the individual application and are usually quite
    complicated. Double-frees can also be exploited to cause an
    application crash, for a denial of service.  However, most GSSAPI
    client applications are not vulnerable, as the SPNEGO mechanism is not
    used by default (when GSS_C_NO_OID is passed as the mech_type argument
    to gss_init_sec_context()).  The most common use of SPNEGO is for
    HTTP-Negotiate, used in web browsers and other web clients.  Most such
    clients are believed to not offer HTTP-Negotiate by default, instead
    requiring a whitelist of sites for which it may be used to be
    configured.  If the whitelist is configured to only allow
    HTTP-Negotiate over TLS connections ("https://"), a successful
    attacker must also spoof the web server's SSL certificate, due to the
    way the WWW-Authenticate header is sent in a 401 (Unauthorized)
    response message.  Unfortunately, many instructions for enabling
    HTTP-Negotiate in common web browsers do not include a TLS
    requirement.
    
        CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
    
    [kaduk at mit.edu: CVE summary and CVSSv2 vector]
    
    (cherry picked from commit f18ddf5d82de0ab7591a36e465bc24225776940f)
    
    ticket: 8113 (new)
    version_fixed: 1.11.6
    status: resolved

 src/lib/gssapi/spnego/spnego_mech.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 479b236..805c593 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -789,7 +789,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
 	OM_uint32 tmpmin;
 	size_t i;
 
-	generic_gss_release_oid(&tmpmin, &sc->internal_mech);
 	gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
 			       GSS_C_NO_BUFFER);
 
