[3.1] krb5: multiple vulnerabilities (CVE-2015-2694, CVE-2015-2695, CVE-2015-2696, CVE-2015-2697)
CVE-2015-2694: requires_preauth bypass in PKINIT-enabled KDC
In MIT krb5 1.12 and later, when the KDC is configured with PKINIT
support, an unauthenticated remote attacker can bypass the
requires_preauth flag on a client principal and obtain a ciphertext
encrypted in the principal’s long-term key. This ciphertext could be
used to conduct an off-line dictionary attack against the user’s
password.
This was fixed in 1.13.2
References:
https://github.com/krb5/krb5/commit/df8afc60d970a7176a55ffe7ce21cfd57ba423cd
http://krbdev.mit.edu/rt/NoAuth/krb5-1.13/fixed-1.13.2.html
http://web.mit.edu/kerberos/krb5-1.13/
CVE-2015-2695: SPNEGO context aliasing bugs
In MIT krb5 1.5 and later, applications which call
gss_inquire_context() on a partially-established SPNEGO context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash. This bug may go unnoticed, because
the most common SPNEGO authentication scenario establishes the context
after just one call to gss_accept_sec_context(). Java server
applications using the native JGSS provider are vulnerable to this
bug. A carefully crafted SPNEGO packet might allow the
gss_inquire_context() call to succeed with attacker-determined
results, but applications should not make access control decisions
based on gss_inquire_context() results prior to context establishment.
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-2695
https://github.com/krb5/krb5/commit/222b09f6e2f536354555f2a0dedfe29fc10c01d6
CVE- 2015-2696: IAKERB context aliasing flaw
In MIT krb5 1.9 and later, applications which call
gss_inquire_context() on a partially-established IAKERB context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash. Java server applications using the
native JGSS provider are vulnerable to this bug. A carefully crafted
IAKERB packet might allow the gss_inquire_context() call to succeed
with attacker-determined results, but applications should not make
access control decisions based on gss_inquire_context() results
prior
to context establishment.
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-2696
https://github.com/krb5/krb5/commit/e04f0283516e80d2f93366e0d479d13c9b5c8c2a
CVE-2015-2697: invalid string processing
In MIT krb5 1.7 and later, an authenticated attacker may be able to
cause a KDC to crash using a TGS request with a large realm field
beginning with a null byte. If the KDC attempts to find a referral to
answer the request, it constructs a principal name for lookup using
krb5_build_principal() with the requested realm. Due to a bug in
this
function, the null byte causes only one byte be allocated for the
realm field of the constructed principal, far less than its length.
Subsequent operations on the lookup principal may cause a read beyond
the end of the mapped memory region, causing the KDC process to crash.
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-2697
https://github.com/krb5/krb5/commit/f0c094a1b745d91ef2f9a4eae2149aac026a5789
(from redmine: issue id 4837, created on 2015-11-09, closed on 2015-12-09)
- Relations:
- parent #4834 (closed)
- Changesets:
- Revision f9f0307c by Christian Kampka on 2015-12-02T15:04:06Z:
main/krb5: security fixes (CVE-2015-2694, CVE-2015-2695, CVE-2015-2696, CVE-2015-2697)
fixes: #4837