RT RT/krbdev.mit.edu: Ticket #7969 Double-free in initiator during SPNEGO renegotiation [CVE-2014-4343] Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
7969
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Version_reported
Version_Fixed
  • 1.12.2
Target_Version
  • 1.12.2
Tags
  • pullup
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Mon Jul 21 13:04:21 2014
Starts: Not set
Started: Mon Jul 21 13:04:22 2014
Last Contact: Mon Jul 21 18:33:47 2014
Due: Not set
Updated: Mon Jul 21 18:33:47 2014 by tlyu
 

 People  
Owner
 ghudson
Requestors
 ghudson@mit.edu
Cc
 
AdminCc
 
 

 More about Greg Hudson  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Mon Jul 21 13:04:21 2014  ghudson - Ticket created    
     
From: ghudson@mit.edu
Subject: git commit


Fix double-free in SPNEGO [CVE-2014-4343]

In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
pointer sc->internal_mech became an alias into sc->mech_set->elements,
which should be considered constant for the duration of the SPNEGO
context.  So don't free it.

CVE-2014-4343:

In MIT krb5 releases 1.10 and newer, an unauthenticated remote
attacker with the ability to spoof packets appearing to be from a
GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
(clients) which are using the SPNEGO mechanism, by returning a
different underlying mechanism than was proposed by the initiator.  At
this stage of the negotiation, the acceptor is unauthenticated, and
the acceptor's response could be spoofed by an attacker with the
ability to inject traffic to the initiator.

Historically, some double-free vulnerabilities can be translated into
remote code execution, though the necessary exploits must be tailored
to the individual application and are usually quite
complicated. Double-frees can also be exploited to cause an
application crash, for a denial of service.  However, most GSSAPI
client applications are not vulnerable, as the SPNEGO mechanism is not
used by default (when GSS_C_NO_OID is passed as the mech_type argument
to gss_init_sec_context()).  The most common use of SPNEGO is for
HTTP-Negotiate, used in web browsers and other web clients.  Most such
clients are believed to not offer HTTP-Negotiate by default, instead
requiring a whitelist of sites for which it may be used to be
configured.  If the whitelist is configured to only allow
HTTP-Negotiate over TLS connections ("https://"), a successful
attacker must also spoof the web server's SSL certificate, due to the
way the WWW-Authenticate header is sent in a 401 (Unauthorized)
response message.  Unfortunately, many instructions for enabling
HTTP-Negotiate in common web browsers do not include a TLS
requirement.

    CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C

[kaduk@mit.edu: CVE summary and CVSSv2 vector]

https://github.com/krb5/krb5/commit/f18ddf5d82de0ab7591a36e465bc24225776940f
Author: David Woodhouse <David.Woodhouse@intel.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: f18ddf5d82de0ab7591a36e465bc24225776940f
Branch: master
 src/lib/gssapi/spnego/spnego_mech.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)


Download (untitled) 2.3k
      Mon Jul 21 13:04:22 2014  ghudson - Requestor ghudson@mit.edu added    
      Mon Jul 21 13:04:22 2014  ghudson - Status changed from new to review    
      Mon Jul 21 13:04:22 2014  ghudson - Tags pullup added    
      Mon Jul 21 13:04:22 2014  ghudson - Target_Version 1.12.2 added    
      Mon Jul 21 13:04:56 2014  ghudson - Subject changed from Fix double-free in SPNEGO [CVE-2014-4343] to Double-free in initiator during SPNEGO renegotiation [CVE-2014-4343]    
      Mon Jul 21 18:33:47 2014  tlyu - Status changed from review to resolved    
      Mon Jul 21 18:33:47 2014  tlyu - Version_Fixed 1.12.2 added    
      Mon Jul 21 18:33:47 2014  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: git commit


Fix double-free in SPNEGO [CVE-2014-4343]

In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
pointer sc->internal_mech became an alias into sc->mech_set->elements,
which should be considered constant for the duration of the SPNEGO
context.  So don't free it.

CVE-2014-4343:

In MIT krb5 releases 1.10 and newer, an unauthenticated remote
attacker with the ability to spoof packets appearing to be from a
GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
(clients) which are using the SPNEGO mechanism, by returning a
different underlying mechanism than was proposed by the initiator.  At
this stage of the negotiation, the acceptor is unauthenticated, and
the acceptor's response could be spoofed by an attacker with the
ability to inject traffic to the initiator.

Historically, some double-free vulnerabilities can be translated into
remote code execution, though the necessary exploits must be tailored
to the individual application and are usually quite
complicated. Double-frees can also be exploited to cause an
application crash, for a denial of service.  However, most GSSAPI
client applications are not vulnerable, as the SPNEGO mechanism is not
used by default (when GSS_C_NO_OID is passed as the mech_type argument
to gss_init_sec_context()).  The most common use of SPNEGO is for
HTTP-Negotiate, used in web browsers and other web clients.  Most such
clients are believed to not offer HTTP-Negotiate by default, instead
requiring a whitelist of sites for which it may be used to be
configured.  If the whitelist is configured to only allow
HTTP-Negotiate over TLS connections ("https://"), a successful
attacker must also spoof the web server's SSL certificate, due to the
way the WWW-Authenticate header is sent in a 401 (Unauthorized)
response message.  Unfortunately, many instructions for enabling
HTTP-Negotiate in common web browsers do not include a TLS
requirement.

    CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C

[kaduk@mit.edu: CVE summary and CVSSv2 vector]

(cherry picked from commit f18ddf5d82de0ab7591a36e465bc24225776940f)

https://github.com/krb5/krb5/commit/3a3749e219534415d4c9e449d0d08b047325ae89
Author: David Woodhouse <David.Woodhouse@intel.com>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 3a3749e219534415d4c9e449d0d08b047325ae89
Branch: krb5-1.12
 src/lib/gssapi/spnego/spnego_mech.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)


Download (untitled) 2.3k