RT RT/krbdev.mit.edu: Ticket #7970 NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344] Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
7970
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Tags
Version_reported
Version_Fixed
  • 1.12.2
Target_Version
  • 1.12.2
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Mon Jul 21 13:04:23 2014
Starts: Not set
Started: Mon Jul 21 13:04:23 2014
Last Contact: Mon Jul 21 18:33:48 2014
Due: Not set
Updated: Wed Dec 16 18:03:02 2015 by tlyu
 

 People  
Owner
 ghudson
Requestors
 ghudson@mit.edu
Cc
 
AdminCc
 
 

 More about Greg Hudson  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Mon Jul 21 13:04:23 2014  ghudson - Ticket created    
     
From: ghudson@mit.edu
Subject: git commit


Fix null deref in SPNEGO acceptor [CVE-2014-4344]

When processing a continuation token, acc_ctx_cont was dereferencing
the initial byte of the token without checking the length.  This could
result in a null dereference.

CVE-2014-4344:

In MIT krb5 1.5 and newer, an unauthenticated or partially
authenticated remote attacker can cause a NULL dereference and
application crash during a SPNEGO negotiation by sending an empty
token as the second or later context token from initiator to acceptor.
The attacker must provide at least one valid context token in the
security context negotiation before sending the empty token.  This can
be done by an unauthenticated attacker by forcing SPNEGO to
renegotiate the underlying mechanism, or by using IAKERB to wrap an
unauthenticated AS-REQ as the first token.

    CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

[kaduk@mit.edu: CVE summary, CVSSv2 vector]

https://github.com/krb5/krb5/commit/524688ce87a15fc75f87efc8c039ba4c7d5c197b
Author: Greg Hudson <ghudson@mit.edu>
Commit: 524688ce87a15fc75f87efc8c039ba4c7d5c197b
Branch: master
 src/lib/gssapi/spnego/spnego_mech.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)


Download (untitled) 1.1k
      Mon Jul 21 13:04:23 2014  ghudson - Requestor ghudson@mit.edu added    
      Mon Jul 21 13:04:23 2014  ghudson - Status changed from new to review    
      Mon Jul 21 13:04:23 2014  ghudson - Tags pullup added    
      Mon Jul 21 13:04:23 2014  ghudson - Target_Version 1.12.2 added    
      Mon Jul 21 18:33:48 2014  tlyu - Status changed from review to resolved    
      Mon Jul 21 18:33:48 2014  tlyu - Version_Fixed 1.12.2 added    
      Mon Jul 21 18:33:48 2014  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: git commit


Fix null deref in SPNEGO acceptor [CVE-2014-4344]

When processing a continuation token, acc_ctx_cont was dereferencing
the initial byte of the token without checking the length.  This could
result in a null dereference.

CVE-2014-4344:

In MIT krb5 1.5 and newer, an unauthenticated or partially
authenticated remote attacker can cause a NULL dereference and
application crash during a SPNEGO negotiation by sending an empty
token as the second or later context token from initiator to acceptor.
The attacker must provide at least one valid context token in the
security context negotiation before sending the empty token.  This can
be done by an unauthenticated attacker by forcing SPNEGO to
renegotiate the underlying mechanism, or by using IAKERB to wrap an
unauthenticated AS-REQ as the first token.

    CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

[kaduk@mit.edu: CVE summary, CVSSv2 vector]

(cherry picked from commit 524688ce87a15fc75f87efc8c039ba4c7d5c197b)

https://github.com/krb5/krb5/commit/a7886f0ed1277c69142b14a2c6629175a6331edc
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: a7886f0ed1277c69142b14a2c6629175a6331edc
Branch: krb5-1.12
 src/lib/gssapi/spnego/spnego_mech.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)


Download (untitled) 1.2k
      Wed Dec 16 18:03:02 2015  tlyu - Keyword pullup deleted