remctl 2018-04-01 Security Advisory

Russ Allbery eagle at eyrie.org
Sun Apr 1 19:03:13 EDT 2018


Vulnerability type:  Use after free, double free
Versions affected:   3.12 and 3.13
Versions fixed:      3.14 and later
Reported:            2018-03-30
Public announcement: 2018-04-01
CVE IDs:             CVE-2018-0493

Santosh Ananthakrishnan discovered incorrect memory management in the
remctld and remctl-shell servers when handling commands with the sudo
configuration option. For remctld, it may be possible (although appears to
be difficult) for a client to execute arbitrary commands on the server. To
exploit this vulnerability, the client must have access to run a command
that uses the sudo configuration option. The client would then need to run
the command using sudo multiple times in a single connection using
keep-alive.

I'm not aware of any exploits in the wild. remctl-shell is not affected,
only remctld.

This problem has been fixed in remctl 3.14, available from:

  https://www.eyrie.org/~eagle/software/remctl/

It has also been fixed in Debian stable (stretch) in the 3.13-1+deb9u1
package version, and in Debian unstable in the 3.14-1 package version.
Only the remctl-server package is affected. This bug is not present in
older Debian releases.

My apologies for this memory management error. It's an obvious error in
context and was probably left over from a code refactoring when developing
the sudo feature. I hope to include better automated memory management
testing in the next release of remctl after 3.14.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list