RT RT/krbdev.mit.edu: Ticket #7949 Handle invalid RFC 1964 tokens [CVE-2014-4341 CVE-2014-4342] Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
7949
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Version_reported
Version_Fixed
  • 1.12.2
Target_Version
  • 1.12.2
Tags
  • pullup
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Thu Jun 26 12:01:06 2014
Starts: Not set
Started: Thu Jun 26 12:01:06 2014
Last Contact: Not set
Due: Not set
Updated: Fri Jun 27 14:52:44 2014 by tlyu
 

 People  
Owner
 tlyu
Requestors
 tlyu@mit.edu
Cc
 
AdminCc
 
 

 More about Tom Yu  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Thu Jun 26 12:01:06 2014  tlyu - Ticket created    
     
From: tlyu@mit.edu
Subject: git commit


Handle invalid RFC 1964 tokens [CVE-2014-4341...]

Detect the following cases which would otherwise cause invalid memory
accesses and/or integer underflow:

* An RFC 1964 token being processed by an RFC 4121-only context
  [CVE-2014-4342]

* A header with fewer than 22 bytes after the token ID or an
  incomplete checksum [CVE-2014-4341 CVE-2014-4342]

* A ciphertext shorter than the confounder [CVE-2014-4341]

* A declared padding length longer than the plaintext [CVE-2014-4341]

If we detect a bad pad byte, continue on to compute the checksum to
avoid creating a padding oracle, but treat the checksum as invalid
even if it compares equal.

CVE-2014-4341:

In MIT krb5, an unauthenticated remote attacker with the ability to
inject packets into a legitimately established GSSAPI application
session can cause a program crash due to invalid memory references
when attempting to read beyond the end of a buffer.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C

CVE-2014-4342:

In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote
attacker with the ability to inject packets into a legitimately
established GSSAPI application session can cause a program crash due
to invalid memory references when reading beyond the end of a buffer
or by causing a null pointer dereference.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C

[tlyu@mit.edu: CVE summaries, CVSS]

https://github.com/krb5/krb5/commit/fb99962cbd063ac04c9a9d2cc7c75eab73f3533d
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: fb99962cbd063ac04c9a9d2cc7c75eab73f3533d
Branch: master
 src/lib/gssapi/krb5/k5unseal.c    |   41 +++++++++++++++++++++++++++++-------
 src/lib/gssapi/krb5/k5unsealiov.c |    9 +++++++-
 2 files changed, 41 insertions(+), 9 deletions(-)


Download (untitled) 1.7k
      Thu Jun 26 12:01:06 2014  tlyu - Requestor tlyu@mit.edu added    
      Thu Jun 26 12:01:06 2014  tlyu - Status changed from new to review    
      Thu Jun 26 12:01:06 2014  tlyu - Tags pullup added    
      Thu Jun 26 12:01:07 2014  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: git commit


Add tests for invalid GSSAPI per-message tokens

https://github.com/krb5/krb5/commit/7a9990d73537dcdd95bf9b280ebfd560adf8342d
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 7a9990d73537dcdd95bf9b280ebfd560adf8342d
Branch: master
 .gitignore                            |    1 +
 src/lib/gssapi/libgssapi_krb5.exports |    1 +
 src/tests/gssapi/Makefile.in          |   17 +-
 src/tests/gssapi/deps                 |   18 ++
 src/tests/gssapi/t_invalid.c          |  429 +++++++++++++++++++++++++++++++++
 5 files changed, 459 insertions(+), 7 deletions(-)


Download (untitled) 588b
      Thu Jun 26 12:01:28 2014  tlyu - Target_Version 1.12.2 added    
      Fri Jun 27 14:52:05 2014  tlyu - Status changed from review to resolved    
      Fri Jun 27 14:52:05 2014  tlyu - Version_Fixed 1.12.2 added    
      Fri Jun 27 14:52:05 2014  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: git commit


Handle invalid RFC 1964 tokens [CVE-2014-4341...]

Detect the following cases which would otherwise cause invalid memory
accesses and/or integer underflow:

* An RFC 1964 token being processed by an RFC 4121-only context
  [CVE-2014-4342]

* A header with fewer than 22 bytes after the token ID or an
  incomplete checksum [CVE-2014-4341 CVE-2014-4342]

* A ciphertext shorter than the confounder [CVE-2014-4341]

* A declared padding length longer than the plaintext [CVE-2014-4341]

If we detect a bad pad byte, continue on to compute the checksum to
avoid creating a padding oracle, but treat the checksum as invalid
even if it compares equal.

CVE-2014-4341:

In MIT krb5, an unauthenticated remote attacker with the ability to
inject packets into a legitimately established GSSAPI application
session can cause a program crash due to invalid memory references
when attempting to read beyond the end of a buffer.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C

CVE-2014-4342:

In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote
attacker with the ability to inject packets into a legitimately
established GSSAPI application session can cause a program crash due
to invalid memory references when reading beyond the end of a buffer
or by causing a null pointer dereference.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C

[tlyu@mit.edu: CVE summaries, CVSS]

(cherry picked from commit fb99962cbd063ac04c9a9d2cc7c75eab73f3533d)

https://github.com/krb5/krb5/commit/e6ae703ae597d798e310368d52b8f38ee11c6a73
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: e6ae703ae597d798e310368d52b8f38ee11c6a73
Branch: krb5-1.12
 src/lib/gssapi/krb5/k5unseal.c    |   41 +++++++++++++++++++++++++++++-------
 src/lib/gssapi/krb5/k5unsealiov.c |    9 +++++++-
 2 files changed, 41 insertions(+), 9 deletions(-)


Download (untitled) 1.8k
      Fri Jun 27 14:52:44 2014  tlyu - Comments added    
     
Test case omitted from pullup due to the patch changing an exports file.


Download (untitled) 72b