RT RT/krbdev.mit.edu: Ticket #7570 PKINIT null pointer deref [CVE-2013-1415] Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
7570
Status
review
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Version_reported
Version_Fixed
  • 1.11.1
Target_Version
  • 1.11.1
Tags
  • pullup
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
  • 7577: (tlyu) PKINIT null pointer deref [CVE-2013-1415] [resolved]
  • 7619: (tlyu) PKINIT null pointer deref [CVE-2013-1415] [resolved]
 
 Dates  
Created: Fri Feb 15 14:29:07 2013
Starts: Not set
Started: Fri Feb 15 14:29:09 2013
Last Contact: Tue Feb 19 15:45:37 2013
Due: Not set
Updated: Mon Feb 25 17:40:45 2013 by kaduk@MIT.EDU
 

 People  
Owner
 kaduk@MIT.EDU
Requestors
 kaduk@MIT.EDU
Cc
 
AdminCc
 
 

 More about Benjamin Kaduk  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Fri Feb 15 14:29:08 2013  kaduk@MIT.EDU - Ticket created    
     
From: kaduk@MIT.EDU
Subject: SVN Commit


PKINIT null pointer deref [CVE-2013-1415]

Don't dereference a null pointer when cleaning up.

The KDC plugin for PKINIT can dereference a null pointer when a
malformed packet causes processing to terminate early, leading to
a crash of the KDC process.  An attacker would need to have a valid
PKINIT certificate or have observed a successful PKINIT authentication,
or an unauthenticated attacker could execute the attack if anonymous
PKINIT is enabled.

CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C

This is a minimal commit for pullup; style fixes in a followup.
[kaduk@mit.edu: reformat and edit commit message]

https://github.com/krb5/krb5/commit/c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed
Author: Xi Wang <xi.wang@gmail.com>
Committer: Ben Kaduk <kaduk@mit.edu>
Commit: c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed
Branch: master
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)


Download (untitled) 954b
      Fri Feb 15 14:29:09 2013  kaduk@MIT.EDU - Requestor kaduk@MIT.EDU added    
      Fri Feb 15 14:29:09 2013  kaduk@MIT.EDU - Status changed from new to review    
      Fri Feb 15 14:29:10 2013  kaduk@MIT.EDU - Tags pullup added    
      Fri Feb 15 14:29:10 2013  kaduk@MIT.EDU - Target_Version 1.11.1 added    
      Fri Feb 15 14:30:54 2013  kaduk@MIT.EDU - Comments added    
     
This bug has been present since the initial import of PKINIT for 1.6.3; all later
releases are
affected.

In particular, we should pull this up to 1.10 and 1.9 at least.


Download (untitled) 170b
      Tue Feb 19 15:45:36 2013  tlyu - Status changed from review to resolved    
      Tue Feb 19 15:45:36 2013  tlyu - Version_Fixed 1.11.1 added    
      Tue Feb 19 15:45:36 2013  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: SVN Commit


PKINIT null pointer deref [CVE-2013-1415]

Don't dereference a null pointer when cleaning up.

The KDC plugin for PKINIT can dereference a null pointer when a
malformed packet causes processing to terminate early, leading to
a crash of the KDC process.  An attacker would need to have a valid
PKINIT certificate or have observed a successful PKINIT authentication,
or an unauthenticated attacker could execute the attack if anonymous
PKINIT is enabled.

CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C

This is a minimal commit for pullup; style fixes in a followup.
[kaduk@mit.edu: reformat and edit commit message]

(cherry picked from commit c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed)

https://github.com/krb5/krb5/commit/f249555301940c6df3a2cdda13b56b5674eebc2e
Author: Xi Wang <xi.wang@gmail.com>
Committer: Tom Yu <tlyu@mit.edu>
Commit: f249555301940c6df3a2cdda13b56b5674eebc2e
Branch: krb5-1.11
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)


Download (untitled) 1023b
      Mon Feb 25 17:40:43 2013  kaduk@MIT.EDU - Status changed from resolved to review    
      Mon Feb 25 17:40:44 2013  kaduk@MIT.EDU - Comments added    
     
The detailed analysis:

The process_as_req() function in the KDC has support for pluggable
modules that implement various types of preauthentication.  The PKINIT
preauthentication module (using public key cryptography for initial
authentication) is part of the MIT krb5 source distribution, and is
compiled by default when a usable cryptography backend is present.
Before the PKINIT module will be used in AS_REQ processing, it must
be configured in the KDC configuration profile (e.g., kdc.conf).
When processing an AS_REQ of type KRB5_PADATA_PK_AS_REQ, the KDC
performs initial validation of the request, checking the Diffie-Hellman
parameters and verifying the authenticator checksum before proceeding
to check that a KDC public key ID is present and matches the KDC
configuration.  During the process of checking for a KDC public key ID,
the KDC must extract an issuer and serial number from the client-supplied
X.509 certificate.  If this extraction fails, a null pointer is returned
which the server detects as an error, and the server proceeds to its
cleanup code, which deallocates memory that was allocated to process the
request.  This cleanup code unconditionally dereferences the pointer
holding the issuer and serial number information, which is a null pointer
in this error case.  This potential for null pointer dereference has
been present since the introduction of the PKINIT code, in krb5-1.6.3.

The vulnerable code executes after substantial validation and processing
of the request, so an attacker must be able to successfully perform
PKINIT preauthentication or observe or modify a valid preauthentication
attempt.


Download (untitled) 1.5k