Is the vulnerability CVE-2017-11462 applicable to older MIT Kerberos 5 releases?
Greg Hudson
ghudson at mit.edu
Wed Jan 17 10:24:38 EST 2018
On 01/17/2018 06:42 AM, Sergey Emantayev wrote:
> Sorry for the delayed response.
> How can I identify an incorrect usage of gss_init_sec_context
> / gss_accept_sec_context?
Both of these calls accept a pointer to a context handle (gss_ctx_id_t).
Both calls are permitted by RFC 2744 to delete an existing context
handle on error, setting the caller's handle to GSS_C_NO_CONTEXT;
alternatively, implementations may leave the context alone on error and
wait for the caller to delete it.
The danger arises if a caller copies the context handle and passes a
pointer to the copy to gss_init_sec_context() or
gss_accept_sec_context(), then passes a pointer to the original context
handle to gss_delete_sec_context(). If the caller uses the same pointer
to the context handle for all calls relating to a context, it should be
safe. (If it does use copies, it can still be safe if it updates all
copies of the context handle after each call to init/accept_sec_context,
on success or failure.)
More information about the krbdev
mailing list