SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Security)  >   Kerberos Vendors:   MIT
MIT Kerberos Buffer Overflow in kadmind with LDAP Backend Lets Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1030705
SecurityTracker URL:  http://securitytracker.com/id/1030705
CVE Reference:   CVE-2014-4345   (Links to External Site)
Date:  Aug 11 2014
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5-1.6 to 5-1.12.2
Description:   A vulnerability was reported in MIT Kerberos. A remote authenticated user can execute arbitrary code on the target system.

On systems where kadmind uses LDAP for the KDC database, a remote authenticated user can send specially crafted data to trigger an off-by-one buffer overflow in kadmind and potentially execute arbitrary code on the target system.

The krb5_encode_krbsecretkey() function is affected.

Tomas Kuthan and Greg Hudson reported this vulnerability.

Impact:   A remote authenticated user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fix (krb5-1.11.6, krb5-1.12.2).

A patch is also available.

The vendor's advisory is available at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2014-001.txt

Vendor URL:  web.mit.edu/kerberos/advisories/MITKRB5-SA-2014-001.txt (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 17 2014 (Red Hat Issues Fix) MIT Kerberos Buffer Overflow in kadmind with LDAP Backend Lets Remote Authenticated Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has issued a fix for Red Hat Enterprise Linux 5.
Oct 14 2014 (Red Hat Issues Fix) MIT Kerberos Buffer Overflow in kadmind with LDAP Backend Lets Remote Authenticated Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has issued a fix for Red Hat Enterprise Linux 6.



 Source Message Contents

Date:  Mon, 11 Aug 2014 20:13:37 +0000
Subject:  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2014-001.txt


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

MITKRB5-SA-2014-001

MIT krb5 Security Advisory 2014-001
Original release: 2014-08-07
Last update: 2014-08-07

Topic: Buffer overrun in kadmind with LDAP backend

CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score:      8.5

Access Vector:          Network
Access Complexity:      Medium
Authentication:         Single
Confidentiality Impact: Complete
Integrity Impact:       Complete
Availability Impact:    Complete

CVSSv2 Temporal Score:  6.7

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

SUMMARY
=======

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause it to perform an
out-of-bounds write (buffer overflow).  This is not a protocol
vulnerability.  Using LDAP for the KDC database is a non-default
configuration for the KDC.

IMPACT
======

Historically, it has been possible to convert an out-of-bounds write
into remote code execution in some cases, though the necessary exploits
must be tailored to the individual application and are usually quite
complicated.  Depending on the allocated length of the array, an
out-of-bounds write may also cause a segmentation fault and/or
application crash.

AFFECTED SOFTWARE
=================

* The kadmind daemon from MIT krb5 releases 1.6 to 1.12.2, when
  configured to use the LDAP backend for the KDB, is vulnerable.
  Releases of MIT krb5 prior to 1.6 did not provide the ability to use
  LDAP for the KDB backend.

FIXES
=====

* Workaround: disable or restrict access to kadmind until a patched
  version can be installed.  This will prevent principal creation,
  password changes, keytab updates, and other administrative operations.

* The krb5-1.12.2 and krb5-1.11.6 releases will contain a fix for this
  vulnerability.

diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index ce851ea..df5934c 100644
- --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -456,7 +456,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
             j++;
             last = i + 1;

- -            currkvno = key_data[i].key_data_kvno;
+            if (i < n_key_data - 1)
+                currkvno = key_data[i + 1].key_data_kvno;
         }
     }
     ret[num_versions] = NULL;

  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2014-001-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2014-001-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2014-001.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2014-4345
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4345

ACKNOWLEDGMENTS
===============

This off-by-one error was reported by Tomas Kuthan as github pull
request #181 and recognized as a vulnerability by Greg Hudson.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/C436A9C6 2014-01-07 [expires: 2015-02-01]
      Key fingerprint = 1849 02FF 0CA8 A385 F28D  2E7E 2AF0 C1EA C436 A9C6
uid     MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS
=======

The 'cpw -keepold' functionality allows for the existing keys to be
retained at password-change (or keytab-change) time, instead of being
discarded as usual.  An array must be allocated to store all the old
keys, as well as the new keys and a NULL terminator.  In normal
operation, all the keys for a single kvno will share an array slot.  An
off-by-one error while copying key information to the new array results
in keys sharing a common kvno being written to different array buckets,
with the first key of a kvno betting a single bucket, and the remaining
keys getting the next bucket.  After sufficient iterations, the extra
writes extend past the end of the (NULL-terminated) array.  The NULL
terminator is always written after the end of the loop, so no
out-of-bounds data is read, it is only written.

REVISION HISTORY
================

2014-08-07      original release

Copyright (C) 2014 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGgBAEBCAAGBQJT4/duAAoJECjZpvNk63USrnQMH2t7UgKODNopFrkpAU7Tn0LH
NFhMSHGLbAe6+K/wcvqlmuNI1lvcqTGu8/U2cIOw+E4m+MiUpR8gFQd5UP8+wnpJ
mCGhKdvCSgYnxoru06NSvisF4fAm8qij5WSEA7/CSqOSCmAVsM8VOt/nom+0tZUw
3u7dxfGpvmLEBBNlXiuukHmT7HQvQomqltbwUyyBuBp8S07G1tCWQr5Ei+aUnM5l
vxSoS50ek28nd9TfGEQ3hTYpwQEJw9WVWM4AZG7HDVuEhdexI5RD0r6aE2Tq3Tnp
01htIs9XQxcepV3L84P4F0WXW1rCQjnErTf0ywzFL9sUOzT7CiBQIaJ0m/nWRkz/
UVubpezV8njZ65tCoWX/GYdhwUgc09LMI0GDdBZ5TPmWvpQp7REwFMYVBLjNg/7S
qYzXl8X5jRABUJQxga+G3XenFP+vKIvS4DqqHT3gn7GNdwER4EWl5NAaaNc7yzAN
6g+13gyJcLOiSmT4p3pnCU8bRSHGKj3DnulyyiCj9coxbPc=
=GLjL
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC