MITKRB5-SA-2009-001: multiple vulnerabilities in SPNEGO, ASN.1 decoder [CVE-2009-0844 CVE-2009-0845 CVE-2009-0847]
Tom Yu
tlyu at MIT.EDU
Tue Apr 7 14:10:18 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MITKRB5-SA-2009-001
MIT krb5 Security Advisory 2009-001
Original release: 2009-04-07
Last update: 2009-04-07
Topic: multiple vulnerabilities in SPNEGO, ASN.1 decoder
[CVE-2009-0844]
SPNEGO implementation can read beyond buffer end
CVSSv2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score: 8.5
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: Complete
CVSSv2 Temporal Score: 6.7
Exploitability: Proof-of-Concept
Remediation Level: Official Fix
Report Confidence: Confirmed
[CVE-2009-0845]
SPNEGO implementation can dereference a null pointer
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score: 7.8
CVSSv2 Temporal Score: 6.1
[CVE-2009-0847]
ASN.1 decoder incorrect length validation
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score: 7.8
CVSSv2 Temporal Score: 6.1
See DETAILS for the expanded CVSSv2 metrics for CVE-2009-0845 and
CVE-2009-0847.
SUMMARY
=======
These are implementation vulnerabilities in MIT krb5, and not
vulnerabilities in the Kerberos protocol.
[CVE-2009-0844]
The MIT krb5 implementation of the SPNEGO GSS-API mechanism can read
beyond the end of a network input buffer. This can cause a GSS-API
application to crash by reading from invalid address space. Under
theoretically possible but very unlikely conditions, a small
information leak may occur. We believe that no successful exploit
exists that could induce an information leak.
[CVE-2009-0845]
The MIT krb5 implementation of the SPNEGO GSS-API mechanism can
dereference a null pointer under error conditions. This can cause a
GSS-API application to crash. This vulnerability was previously
publicly disclosed.
[CVE-2009-0847]
MIT krb5 can perform an incorrect length check inside an ASN.1
decoder. This only presents a problem in the PK-INIT code paths. In
the MIT krb5 KDC or kinit program, this could lead to spurious
malloc() failures or, under some conditions, program crash. We have
heard reports of the spurious malloc() failures, but nobody has yet
made the publicly made the connection to a security issue.
IMPACT
======
[CVE-2009-0844] An unauthenticated, remote attacker could cause a
GSS-API application, including the Kerberos administration daemon
(kadmind) to crash. Under extremely unlikely conditions, there may be
a theoretical possibility of a small information disclosure.
[CVE-2009-0845] An unauthenticated, remote attacker could cause a
GSS-API application, including the Kerberos administration daemon
(kadmind) to crash.
[CVE-2009-0847] An unauthenticated, remote attacker could cause a KDC
or kinit program to crash.
AFFECTED SOFTWARE
=================
[CVE-2009-0844 CVE-2009-0845]
* kadmind in MIT releases krb5-1.5 and later
* FTP daemon in MIT releases krb5-1.5 and later
* Third-party software using the GSS-API library from MIT krb5
releases krb5-1.5 and later
* MIT releases prior to krb5-1.5 did not contain the vulnerable code.
[CVE-2009-0847]
* The kinit program and the KDC from MIT krb5 release krb5-1.6.3.
Prior releases contained the vulnerable code, but the vulnerability
was masked due to operations performed by other code.
FIXES
=====
* The upcoming krb5-1.7 and krb5-1.6.4 releases will contain fixes for
these vulnerabilities.
* Apply the patch, available at
http://web.mit.edu/kerberos/advisories/2009-001-patch.txt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2009-001-patch.txt.asc
REFERENCES
==========
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-001.txt
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CVSSv2:
http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVE: CVE-2009-0844
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0844
CVE: CVE-2009-0845
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0845
CVE: CVE-2009-0847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0847
CERT: VU#662091
http://www.kb.cert.org/vuls/id/662091
http://krbdev.mit.edu/rt/Ticket/Display.html?id=6402
ACKNOWLEDGMENTS
===============
CVE-2009-0844 was discovered by Product Security at Apple, Inc. We
thank Apple and Sun for suggesting improvements to the patches.
CONTACT
=======
The MIT Kerberos Team security contact address is
<krbcore-security at mit.edu>. When sending sensitive information,
please PGP-encrypt it using the following key:
pub 2048R/D9058C24 2009-01-26 [expires: 2010-02-01]
uid MIT Kerberos Team Security Contact <krbcore-security at mit.edu>
DETAILS
=======
[CVE-2009-0844]
The get_input_token() function in the SPNEGO implementation can read
beyond the end of a network input buffer. A length encoding that
decodes to a value exceeding the number of remaining bytes in the
input buffer will cause the function to copy memory past the end of
the input buffer.
[CVE-2009-0845]
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score: 7.8
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
CVSSv2 Temporal Score: 6.1
Exploitability: Proof-of-Concept
Remediation Level: Official Fix
Report Confidence: Confirmed
The spnego_gss_accept_sec_context() function in the GSS-API SPNEGO
implementation can dereference a null pointer under error conditions.
Cleanup code in this function can call the helper function
make_spnego_tokenTarg_msg() without first confirming that the value of
the "sc" variable is not null, thus causing a null pointer
dereference.
[CVE-2009-0847]
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score: 7.8
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
CVSSv2 Temporal Score: 6.1
Exploitability: Proof-of-Concept
Remediation Level: Official Fix
Report Confidence: Confirmed
The asn1buf_imbed() function incorrectly checks lengths by comparing
pointers after performing pointer arithmetic using an unchecked input
length. In addition, the functions asn1buf_remove_charstring() and
asn1buf_remove_octetstring() rely on an invariant that is violated
when asn1buf_imbed() incorrectly validates lengths, performing pointer
arithmetic using the invalid length. Consequently, malloc() receives
a very large number as its argument. If the malloc() call somehow
succeeds, the copy from the input buffer is likely to cross unmapped
address space, causing a crash.
Prior to the implementation of PK-INIT, the vulnerability was masked
because no ASN.1 decoder used asn1buf_remove_charstring() or
asn1buf_remove_octetstring() immediately following the use of
asn1buf_imbed(). Protocol elements of PK-INIT require this sequence
of calls in the decoder, unmasking the latent vulnerability.
REVISION HISTORY
================
2009-04-07 original release
Copyright (C) 2009 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)
iQCVAgUBSduVZabDgE/zdoE9AQI9OgP+OymYyzsFHkUcUWjEVtiFPxKCYh6uZvIj
foqgws9Kv4/TZ44SsJJLURCBgBthm/2coWwlaxaFdDgzXxH/KUW5J9UEBy/rraNx
tLh9CFcuP/uG12N9+Hp9BmlO8euu60cMKRlhAKUuOLTLj74RPMYIID6TE4VgE0g8
UKIvMyadl2I=
=OU63
-----END PGP SIGNATURE-----
More information about the kerberos-announce
mailing list