RT RT/krbdev.mit.edu: Ticket #8273 Fix IAKERB context export/import [CVE-2015-2698] Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
8273
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Tags
Version_reported
Version_Fixed
  • 1.14
Target_Version
  • 1.14
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
  • 8284: (tlyu) Fix IAKERB context export/import [CVE-2015-2698] [resolved]
  • 8316: (tlyu) Fix IAKERB context export/import [CVE-2015-2698] [resolved]
 
 Dates  
Created: Thu Nov 5 12:25:52 2015
Starts: Not set
Started: Thu Nov 5 12:25:53 2015
Last Contact: Thu Nov 5 15:22:43 2015
Due: Not set
Updated: Wed Dec 16 18:03:04 2015 by tlyu
 

 People  
Owner
 ghudson
Requestors
 ghudson@mit.edu
Cc
 
AdminCc
 
 

 More about Greg Hudson  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Thu Nov  5 12:25:52 2015  ghudson - Ticket created    
     
From: ghudson@mit.edu
Subject: git commit


Fix IAKERB context export/import [CVE-2015-2698]

The patches for CVE-2015-2696 contained a regression in the newly
added IAKERB iakerb_gss_export_sec_context() function, which could
cause it to corrupt memory.  Fix the regression by properly
dereferencing the context_handle pointer before casting it.

Also, the patches did not implement an IAKERB gss_import_sec_context()
function, under the erroneous belief that an exported IAKERB context
would be tagged as a krb5 context.  Implement it now to allow IAKERB
contexts to be successfully exported and imported after establishment.

CVE-2015-2698:

In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
application which calls gss_export_sec_context() may experience memory
corruption if the context was established using the IAKERB mechanism.
Historically, some vulnerabilities of this nature can be translated
into remote code execution, though the necessary exploits must be
tailored to the individual application and are usually quite
complicated.

    CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

https://github.com/krb5/krb5/commit/3db8dfec1ef50ddd78d6ba9503185995876a39fd
Author: Greg Hudson <ghudson@mit.edu>
Commit: 3db8dfec1ef50ddd78d6ba9503185995876a39fd
Branch: master
 src/lib/gssapi/krb5/gssapiP_krb5.h |    5 ++++
 src/lib/gssapi/krb5/gssapi_krb5.c  |    2 +-
 src/lib/gssapi/krb5/iakerb.c       |   42 ++++++++++++++++++++++++++++++------
 3 files changed, 41 insertions(+), 8 deletions(-)


Download (untitled) 1.4k
      Thu Nov  5 12:25:53 2015  ghudson - Requestor ghudson@mit.edu added    
      Thu Nov  5 12:25:53 2015  ghudson - Status changed from new to review    
      Thu Nov  5 12:25:53 2015  ghudson - Tags pullup added    
      Thu Nov  5 12:25:53 2015  ghudson - Target_Version 1.14 added    
      Thu Nov  5 12:25:54 2015  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: git commit


Fix SPNEGO context import

The patches for CVE-2015-2695 did not implement a SPNEGO
gss_import_sec_context() function, under the erroneous belief that an
exported SPNEGO context would be tagged with the underlying context
mechanism.  Implement it now to allow SPNEGO contexts to be
successfully exported and imported after establishment.

https://github.com/krb5/krb5/commit/222b09f6e2f536354555f2a0dedfe29fc10c01d6
Author: Greg Hudson <ghudson@mit.edu>
Commit: 222b09f6e2f536354555f2a0dedfe29fc10c01d6
Branch: master
 src/lib/gssapi/spnego/spnego_mech.c |   33 +++++++++++++++++++++++++++------
 1 files changed, 27 insertions(+), 6 deletions(-)


Download (untitled) 648b
      Thu Nov  5 12:25:54 2015  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: git commit


Add test coverage for GSS context export/import

Pass the -export flag to gss-server in t_gss_sample.py, in order to
test context export and import for each of the mechanisms.

https://github.com/krb5/krb5/commit/bee2d867248b24c627da4c2ef270c8de15fd96f9
Author: Greg Hudson <ghudson@mit.edu>
Commit: bee2d867248b24c627da4c2ef270c8de15fd96f9
Branch: master
 src/appl/gss-sample/t_gss_sample.py |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)


Download (untitled) 455b
      Thu Nov  5 15:22:41 2015  tlyu - Version_Fixed 1.14 added    
      Thu Nov  5 15:22:41 2015  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: git commit


Fix IAKERB context export/import [CVE-2015-2698]

The patches for CVE-2015-2696 contained a regression in the newly
added IAKERB iakerb_gss_export_sec_context() function, which could
cause it to corrupt memory.  Fix the regression by properly
dereferencing the context_handle pointer before casting it.

Also, the patches did not implement an IAKERB gss_import_sec_context()
function, under the erroneous belief that an exported IAKERB context
would be tagged as a krb5 context.  Implement it now to allow IAKERB
contexts to be successfully exported and imported after establishment.

CVE-2015-2698:

In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
application which calls gss_export_sec_context() may experience memory
corruption if the context was established using the IAKERB mechanism.
Historically, some vulnerabilities of this nature can be translated
into remote code execution, though the necessary exploits must be
tailored to the individual application and are usually quite
complicated.

    CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

(cherry picked from commit 3db8dfec1ef50ddd78d6ba9503185995876a39fd)

https://github.com/krb5/krb5/commit/54222de30a89bfac0247dfbc1759556dc9fd2983
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 54222de30a89bfac0247dfbc1759556dc9fd2983
Branch: krb5-1.14
 src/lib/gssapi/krb5/gssapiP_krb5.h |    5 ++++
 src/lib/gssapi/krb5/gssapi_krb5.c  |    2 +-
 src/lib/gssapi/krb5/iakerb.c       |   42 ++++++++++++++++++++++++++++++------
 3 files changed, 41 insertions(+), 8 deletions(-)


Download (untitled) 1.5k
      Thu Nov  5 15:22:42 2015  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: git commit


Fix SPNEGO context import

The patches for CVE-2015-2695 did not implement a SPNEGO
gss_import_sec_context() function, under the erroneous belief that an
exported SPNEGO context would be tagged with the underlying context
mechanism.  Implement it now to allow SPNEGO contexts to be
successfully exported and imported after establishment.

(cherry picked from commit 222b09f6e2f536354555f2a0dedfe29fc10c01d6)

https://github.com/krb5/krb5/commit/8e10a780fd3bfefd1ba08ca1552e8d0677917454
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 8e10a780fd3bfefd1ba08ca1552e8d0677917454
Branch: krb5-1.14
 src/lib/gssapi/spnego/spnego_mech.c |   33 +++++++++++++++++++++++++++------
 1 files changed, 27 insertions(+), 6 deletions(-)


Download (untitled) 754b
      Thu Nov  5 15:22:43 2015  tlyu - Status changed from review to resolved    
      Thu Nov  5 15:22:43 2015  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: git commit


Add test coverage for GSS context export/import

Pass the -export flag to gss-server in t_gss_sample.py, in order to
test context export and import for each of the mechanisms.

(cherry picked from commit bee2d867248b24c627da4c2ef270c8de15fd96f9)

https://github.com/krb5/krb5/commit/e802afa475291762b57ba2d27ce5c81dbaec2c07
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: e802afa475291762b57ba2d27ce5c81dbaec2c07
Branch: krb5-1.14
 src/appl/gss-sample/t_gss_sample.py |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)


Download (untitled) 561b
      Wed Dec 16 18:03:04 2015  tlyu - Keyword pullup deleted