exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MIT krb5 Security Advisory 2014-001

MIT krb5 Security Advisory 2014-001
Posted Aug 9, 2014
Site web.mit.edu

MIT krb5 Security Advisory 2014-001 - In MIT krb5, when kadmind is configured to use LDAP for the KDC database, an authenticated remote attacker can cause it to perform an out-of-bounds write (buffer overflow). This is not a protocol vulnerability. Using LDAP for the KDC database is a non-default configuration for the KDC.

tags | advisory, remote, overflow, protocol
advisories | CVE-2014-4345
SHA-256 | bae8ba206013d74a29880ba20751b206d092a9d7228d613cff50af35cbe8b9a7

MIT krb5 Security Advisory 2014-001

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

MITKRB5-SA-2014-001

MIT krb5 Security Advisory 2014-001
Original release: 2014-08-07
Last update: 2014-08-07

Topic: Buffer overrun in kadmind with LDAP backend

CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score: 8.5

Access Vector: Network
Access Complexity: Medium
Authentication: Single
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete

CVSSv2 Temporal Score: 6.7

Exploitability: Proof-of-Concept
Remediation Level: Official Fix
Report Confidence: Confirmed

SUMMARY
=======

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause it to perform an
out-of-bounds write (buffer overflow). This is not a protocol
vulnerability. Using LDAP for the KDC database is a non-default
configuration for the KDC.

IMPACT
======

Historically, it has been possible to convert an out-of-bounds write
into remote code execution in some cases, though the necessary exploits
must be tailored to the individual application and are usually quite
complicated. Depending on the allocated length of the array, an
out-of-bounds write may also cause a segmentation fault and/or
application crash.

AFFECTED SOFTWARE
=================

* The kadmind daemon from MIT krb5 releases 1.6 to 1.12.2, when
configured to use the LDAP backend for the KDB, is vulnerable.
Releases of MIT krb5 prior to 1.6 did not provide the ability to use
LDAP for the KDB backend.

FIXES
=====

* Workaround: disable or restrict access to kadmind until a patched
version can be installed. This will prevent principal creation,
password changes, keytab updates, and other administrative operations.

* The krb5-1.12.2 and krb5-1.11.6 releases will contain a fix for this
vulnerability.

diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index ce851ea..df5934c 100644
- --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -456,7 +456,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
j++;
last = i + 1;

- - currkvno = key_data[i].key_data_kvno;
+ if (i < n_key_data - 1)
+ currkvno = key_data[i + 1].key_data_kvno;
}
}
ret[num_versions] = NULL;

This patch is also available at

http://web.mit.edu/kerberos/advisories/2014-001-patch.txt

A PGP-signed patch is available at

http://web.mit.edu/kerberos/advisories/2014-001-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2014-001.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/index.html

CVSSv2:

http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2014-4345
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4345

ACKNOWLEDGMENTS
===============

This off-by-one error was reported by Tomas Kuthan as github pull
request #181 and recognized as a vulnerability by Greg Hudson.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>. When sending sensitive information,
please PGP-encrypt it using the following key:

pub 2048R/C436A9C6 2014-01-07 [expires: 2015-02-01]
Key fingerprint = 1849 02FF 0CA8 A385 F28D 2E7E 2AF0 C1EA C436 A9C6
uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS
=======

The 'cpw -keepold' functionality allows for the existing keys to be
retained at password-change (or keytab-change) time, instead of being
discarded as usual. An array must be allocated to store all the old
keys, as well as the new keys and a NULL terminator. In normal
operation, all the keys for a single kvno will share an array slot. An
off-by-one error while copying key information to the new array results
in keys sharing a common kvno being written to different array buckets,
with the first key of a kvno betting a single bucket, and the remaining
keys getting the next bucket. After sufficient iterations, the extra
writes extend past the end of the (NULL-terminated) array. The NULL
terminator is always written after the end of the loop, so no
out-of-bounds data is read, it is only written.

REVISION HISTORY
================

2014-08-07 original release

Copyright (C) 2014 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGgBAEBCAAGBQJT4/duAAoJECjZpvNk63USrnQMH2t7UgKODNopFrkpAU7Tn0LH
NFhMSHGLbAe6+K/wcvqlmuNI1lvcqTGu8/U2cIOw+E4m+MiUpR8gFQd5UP8+wnpJ
mCGhKdvCSgYnxoru06NSvisF4fAm8qij5WSEA7/CSqOSCmAVsM8VOt/nom+0tZUw
3u7dxfGpvmLEBBNlXiuukHmT7HQvQomqltbwUyyBuBp8S07G1tCWQr5Ei+aUnM5l
vxSoS50ek28nd9TfGEQ3hTYpwQEJw9WVWM4AZG7HDVuEhdexI5RD0r6aE2Tq3Tnp
01htIs9XQxcepV3L84P4F0WXW1rCQjnErTf0ywzFL9sUOzT7CiBQIaJ0m/nWRkz/
UVubpezV8njZ65tCoWX/GYdhwUgc09LMI0GDdBZ5TPmWvpQp7REwFMYVBLjNg/7S
qYzXl8X5jRABUJQxga+G3XenFP+vKIvS4DqqHT3gn7GNdwER4EWl5NAaaNc7yzAN
6g+13gyJcLOiSmT4p3pnCU8bRSHGKj3DnulyyiCj9coxbPc=
=GLjL
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close