krb5 commit: Prevent KDC unset status assertion failures

Greg Hudson ghudson at mit.edu
Mon Jul 24 10:52:32 EDT 2017


https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970
commit ffb35baac6981f9e8914f8f3bffd37f284b85970
Author: Greg Hudson <ghudson at mit.edu>
Date:   Thu Jul 13 12:14:20 2017 -0400

    Prevent KDC unset status assertion failures
    
    Assign status values if S4U2Self padata fails to decode, if an
    S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request
    uses an evidence ticket which does not match the canonicalized request
    server principal name.  Reported by Samuel Cabrero.
    
    If a status value is not assigned during KDC processing, default to
    "UNKNOWN_REASON" rather than failing an assertion.  This change will
    prevent future denial of service bugs due to similar mistakes, and
    will allow us to omit assigning status values for unlikely errors such
    as small memory allocation failures.
    
    CVE-2017-11368:
    
    In MIT krb5 1.7 and later, an authenticated attacker can cause an
    assertion failure in krb5kdc by sending an invalid S4U2Self or
    S4U2Proxy request.
    
      CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
    
    ticket: 8599 (new)
    target_version: 1.15-next
    target_version: 1.14-next
    tags: pullup

 src/kdc/do_as_req.c  |    4 ++--
 src/kdc/do_tgs_req.c |    3 ++-
 src/kdc/kdc_util.c   |   10 ++++++++--
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 2d3ad13..9b256c8 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -366,8 +366,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
     did_log = 1;
 
 egress:
-    if (errcode != 0)
-        assert (state->status != 0);
+    if (errcode != 0 && state->status == NULL)
+        state->status = "UNKNOWN_REASON";
 
     au_state->status = state->status;
     au_state->reply = &state->reply;
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index cdc79ad..d8d6719 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     free(reply.enc_part.ciphertext.data);
 
 cleanup:
-    assert(status != NULL);
+    if (status == NULL)
+        status = "UNKNOWN_REASON";
     if (reply_key)
         krb5_free_keyblock(kdc_context, reply_key);
     if (errcode)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 778a629..b710aef 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
     req_data.data = (char *)pa_data->contents;
 
     code = decode_krb5_pa_for_user(&req_data, &for_user);
-    if (code)
+    if (code) {
+        *status = "DECODE_PA_FOR_USER";
         return code;
+    }
 
     code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
     if (code) {
@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context,
     req_data.data = (char *)pa_data->contents;
 
     code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
-    if (code)
+    if (code) {
+        *status = "DECODE_PA_S4U_X509_USER";
         return code;
+    }
 
     code = verify_s4u_x509_user_checksum(context,
                                          tgs_subkey ? tgs_subkey :
@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
      * that is validated previously in validate_tgs_request().
      */
     if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
+        *status = "INVALID_S4U2PROXY_OPTIONS";
         return KRB5KDC_ERR_BADOPTION;
     }
 
@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
     if (!krb5_principal_compare(kdc_context,
                                 server->princ, /* after canon */
                                 server_princ)) {
+        *status = "EVIDENCE_TICKET_MISMATCH";
         return KRB5KDC_ERR_SERVER_NOMATCH;
     }
 


More information about the cvs-krb5 mailing list