RT RT/krbdev.mit.edu: Ticket #8244 SPNEGO and IAKERB context aliasing bugs [CVE-2015-2695][CVE-2015-2696] Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
8244
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Tags
Version_reported
Version_Fixed
  • 1.14
Target_Version
  • 1.14
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
  • 8282: (tlyu) SPNEGO and IAKERB context aliasing bugs [CVE-2015-2695][CVE-2015-2696] [review]
  • 8313: (tlyu) SPNEGO and IAKERB context aliasing bugs [CVE-2015-2695][CVE-2015-2696] [resolved]
 
 Dates  
Created: Mon Oct 26 15:04:23 2015
Starts: Not set
Started: Mon Oct 26 15:04:23 2015
Last Contact: Mon Oct 26 15:39:41 2015
Due: Not set
Updated: Wed Dec 16 18:03:03 2015 by tlyu
 

 People  
Owner
 ghudson
Requestors
 ghudson@mit.edu
Cc
 
AdminCc
 
 

 More about Greg Hudson  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Mon Oct 26 15:04:23 2015  ghudson - Ticket created    
     
From: ghudson@mit.edu
Subject: git commit


Fix SPNEGO context aliasing bugs [CVE-2015-2695]

The SPNEGO mechanism currently replaces its context handle with the
mechanism context handle upon establishment, under the assumption that
most GSS functions are only called after context establishment.  This
assumption is incorrect, and can lead to aliasing violations for some
programs.  Maintain the SPNEGO context structure after context
establishment and refer to it in all GSS methods.  Add initiate and
opened flags to the SPNEGO context structure for use in
gss_inquire_context() prior to context establishment.

CVE-2015-2695:

In MIT krb5 1.5 and later, applications which call
gss_inquire_context() on a partially-established SPNEGO context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash.  This bug may go unnoticed, because
the most common SPNEGO authentication scenario establishes the context
after just one call to gss_accept_sec_context().  Java server
applications using the native JGSS provider are vulnerable to this
bug.  A carefully crafted SPNEGO packet might allow the
gss_inquire_context() call to succeed with attacker-determined
results, but applications should not make access control decisions
based on gss_inquire_context() results prior to context establishment.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

[ghudson@mit.edu: several bugfixes, style changes, and edge-case
behavior changes; commit message and CVE description]

https://github.com/krb5/krb5/commit/b51b33f2bc5d1497ddf5bd107f791c101695000d
Author: Nicolas Williams <nico@twosigma.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: b51b33f2bc5d1497ddf5bd107f791c101695000d
Branch: master
 src/lib/gssapi/spnego/gssapiP_spnego.h |    2 +
 src/lib/gssapi/spnego/spnego_mech.c    |  254 ++++++++++++++++++++++++--------
 2 files changed, 192 insertions(+), 64 deletions(-)


Download (untitled) 1.8k
      Mon Oct 26 15:04:23 2015  ghudson - Requestor ghudson@mit.edu added    
      Mon Oct 26 15:04:23 2015  ghudson - Status changed from new to review    
      Mon Oct 26 15:04:23 2015  ghudson - Tags pullup added    
      Mon Oct 26 15:04:24 2015  ghudson - Target_Version 1.14 added    
      Mon Oct 26 15:04:40 2015  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: git commit


Fix IAKERB context aliasing bugs [CVE-2015-2696]

The IAKERB mechanism currently replaces its context handle with the
krb5 mechanism handle upon establishment, under the assumption that
most GSS functions are only called after context establishment.  This
assumption is incorrect, and can lead to aliasing violations for some
programs.  Maintain the IAKERB context structure after context
establishment and add new IAKERB entry points to refer to it with that
type.  Add initiate and established flags to the IAKERB context
structure for use in gss_inquire_context() prior to context
establishment.

CVE-2015-2696:

In MIT krb5 1.9 and later, applications which call
gss_inquire_context() on a partially-established IAKERB context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash.  Java server applications using the
native JGSS provider are vulnerable to this bug.  A carefully crafted
IAKERB packet might allow the gss_inquire_context() call to succeed
with attacker-determined results, but applications should not make
access control decisions based on gss_inquire_context() results prior
to context establishment.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

[ghudson@mit.edu: several bugfixes, style changes, and edge-case
behavior changes; commit message and CVE description]

https://github.com/krb5/krb5/commit/e04f0283516e80d2f93366e0d479d13c9b5c8c2a
Author: Nicolas Williams <nico@twosigma.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: e04f0283516e80d2f93366e0d479d13c9b5c8c2a
Branch: master
 src/lib/gssapi/krb5/gssapiP_krb5.h |  114 ++++++++++++
 src/lib/gssapi/krb5/gssapi_krb5.c  |  105 ++++++++++--
 src/lib/gssapi/krb5/iakerb.c       |  351 +++++++++++++++++++++++++++++++++---
 3 files changed, 529 insertions(+), 41 deletions(-)


Download (untitled) 1.7k
      Mon Oct 26 15:04:56 2015  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: git commit


Add more gss_inquire_context() tests

Add tests for partial IAKERB and SPNEGO initiators, and for partial
krb5 (DCE-style), IAKERB, and SPNEGO acceptors.  Make flag checking
more strict for existing tests.

https://github.com/krb5/krb5/commit/a705b1160ce7f0c5f23b9859c4c6c707503fbfdc
Author: Greg Hudson <ghudson@mit.edu>
Commit: a705b1160ce7f0c5f23b9859c4c6c707503fbfdc
Branch: master
 src/tests/gssapi/t_gssapi.py |    2 +-
 src/tests/gssapi/t_inq_ctx.c |  146 ++++++++++++++++++++++++++++++++++++-----
 2 files changed, 129 insertions(+), 19 deletions(-)


Download (untitled) 559b
      Mon Oct 26 15:05:49 2015  ghudson - Subject changed from Fix SPNEGO context aliasing bugs [CVE-2015-2695] to SPNEGO and IAKERB context aliasing bugs [CVE-2015-2695][CVE-2015-2696]    
      Mon Oct 26 15:39:39 2015  tlyu - Version_Fixed 1.14 added    
      Mon Oct 26 15:39:39 2015  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: git commit


Fix SPNEGO context aliasing bugs [CVE-2015-2695]

The SPNEGO mechanism currently replaces its context handle with the
mechanism context handle upon establishment, under the assumption that
most GSS functions are only called after context establishment.  This
assumption is incorrect, and can lead to aliasing violations for some
programs.  Maintain the SPNEGO context structure after context
establishment and refer to it in all GSS methods.  Add initiate and
opened flags to the SPNEGO context structure for use in
gss_inquire_context() prior to context establishment.

CVE-2015-2695:

In MIT krb5 1.5 and later, applications which call
gss_inquire_context() on a partially-established SPNEGO context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash.  This bug may go unnoticed, because
the most common SPNEGO authentication scenario establishes the context
after just one call to gss_accept_sec_context().  Java server
applications using the native JGSS provider are vulnerable to this
bug.  A carefully crafted SPNEGO packet might allow the
gss_inquire_context() call to succeed with attacker-determined
results, but applications should not make access control decisions
based on gss_inquire_context() results prior to context establishment.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

[ghudson@mit.edu: several bugfixes, style changes, and edge-case
behavior changes; commit message and CVE description]

(cherry picked from commit b51b33f2bc5d1497ddf5bd107f791c101695000d)

https://github.com/krb5/krb5/commit/31fb730f1ad708f230e4387e02ed2f89b93c3607
Author: Nicolas Williams <nico@twosigma.com>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 31fb730f1ad708f230e4387e02ed2f89b93c3607
Branch: krb5-1.14
 src/lib/gssapi/spnego/gssapiP_spnego.h |    2 +
 src/lib/gssapi/spnego/spnego_mech.c    |  254 ++++++++++++++++++++++++--------
 2 files changed, 192 insertions(+), 64 deletions(-)


Download (untitled) 1.9k
      Mon Oct 26 15:39:40 2015  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: git commit


Fix IAKERB context aliasing bugs [CVE-2015-2696]

The IAKERB mechanism currently replaces its context handle with the
krb5 mechanism handle upon establishment, under the assumption that
most GSS functions are only called after context establishment.  This
assumption is incorrect, and can lead to aliasing violations for some
programs.  Maintain the IAKERB context structure after context
establishment and add new IAKERB entry points to refer to it with that
type.  Add initiate and established flags to the IAKERB context
structure for use in gss_inquire_context() prior to context
establishment.

CVE-2015-2696:

In MIT krb5 1.9 and later, applications which call
gss_inquire_context() on a partially-established IAKERB context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash.  Java server applications using the
native JGSS provider are vulnerable to this bug.  A carefully crafted
IAKERB packet might allow the gss_inquire_context() call to succeed
with attacker-determined results, but applications should not make
access control decisions based on gss_inquire_context() results prior
to context establishment.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

[ghudson@mit.edu: several bugfixes, style changes, and edge-case
behavior changes; commit message and CVE description]

(cherry picked from commit e04f0283516e80d2f93366e0d479d13c9b5c8c2a)

https://github.com/krb5/krb5/commit/096cfaa18504d20889a3d8829decb1bf72dd0ac5
Author: Nicolas Williams <nico@twosigma.com>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 096cfaa18504d20889a3d8829decb1bf72dd0ac5
Branch: krb5-1.14
 src/lib/gssapi/krb5/gssapiP_krb5.h |  114 ++++++++++++
 src/lib/gssapi/krb5/gssapi_krb5.c  |  105 ++++++++++--
 src/lib/gssapi/krb5/iakerb.c       |  351 +++++++++++++++++++++++++++++++++---
 3 files changed, 529 insertions(+), 41 deletions(-)


Download (untitled) 1.8k
      Mon Oct 26 15:39:41 2015  tlyu - Status changed from review to resolved    
      Mon Oct 26 15:39:41 2015  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: git commit


Add more gss_inquire_context() tests

Add tests for partial IAKERB and SPNEGO initiators, and for partial
krb5 (DCE-style), IAKERB, and SPNEGO acceptors.  Make flag checking
more strict for existing tests.

(cherry picked from commit a705b1160ce7f0c5f23b9859c4c6c707503fbfdc)

https://github.com/krb5/krb5/commit/9bc7e779d56398d523e50517f355cab94a864435
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 9bc7e779d56398d523e50517f355cab94a864435
Branch: krb5-1.14
 src/tests/gssapi/t_gssapi.py |    2 +-
 src/tests/gssapi/t_inq_ctx.c |  146 ++++++++++++++++++++++++++++++++++++-----
 2 files changed, 129 insertions(+), 19 deletions(-)


Download (untitled) 665b
      Wed Dec 16 18:03:03 2015  tlyu - Keyword pullup deleted