RT RT/krbdev.mit.edu: Ticket #8643 Fix flaws in LDAP DN checking Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
8643
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Tags
Version_reported
Version_Fixed
  • 1.15.3
  • 1.16.1
Target_Version
  • 1.15-next
  • 1.16-next
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Tue Feb 13 11:07:27 2018
Starts: Not set
Started: Tue Feb 13 11:07:27 2018
Last Contact: Not set
Due: Not set
Updated: Wed May 2 10:16:07 2018 by ghudson
 

 People  
Owner
 ghudson
Requestors
 ghudson@mit.edu
Cc
 
AdminCc
 
 

 More about Greg Hudson  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Tue Feb 13 11:07:27 2018  ghudson - Ticket created    
     
From: ghudson@mit.edu
Subject: git commit


Fix flaws in LDAP DN checking

KDB_TL_USER_INFO tl-data is intended to be internal to the LDAP KDB
module, and not used in disk or wire principal entries.  Prevent
kadmin clients from sending KDB_TL_USER_INFO tl-data by giving it a
type number less than 256 and filtering out type numbers less than 256
in kadm5_create_principal_3().  (We already filter out low type
numbers in kadm5_modify_principal()).

In the LDAP KDB module, if containerdn and linkdn are both specified
in a put_principal operation, check both linkdn and the computed
standalone_principal_dn for container membership.  To that end, factor
out the checks into helper functions and call them on all applicable
client-influenced DNs.

CVE-2018-5729:

In MIT krb5 1.6 or later, an authenticated kadmin user with permission
to add principals to an LDAP Kerberos database can cause a null
dereference in kadmind, or circumvent a DN container check, by
supplying tagged data intended to be internal to the database module.
Thanks to Sharwan Ram and Pooja Anil for discovering the potential
null dereference.

CVE-2018-5730:

In MIT krb5 1.6 or later, an authenticated kadmin user with permission
to add principals to an LDAP Kerberos database can circumvent a DN
containership check by supplying both a "linkdn" and "containerdn"
database argument, or by supplying a DN string which is a left
extension of a container DN string but is not hierarchically within
the container DN.

https://github.com/krb5/krb5/commit/e1caf6fb74981da62039846931ebdffed71309d1
Author: Greg Hudson <ghudson@mit.edu>
Commit: e1caf6fb74981da62039846931ebdffed71309d1
Branch: master
 src/lib/kadm5/srv/svr_principal.c                  |    7 +
 src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h        |    2 +-
 src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c |  200 +++++++++++---------
 src/tests/t_kdb.py                                 |   11 +
 4 files changed, 125 insertions(+), 95 deletions(-)


Download (untitled) 1.8k
      Tue Feb 13 11:07:27 2018  ghudson - Requestor ghudson@mit.edu added    
      Tue Feb 13 11:07:27 2018  ghudson - Status changed from new to resolved    
      Tue Feb 13 11:07:27 2018  ghudson - Tags pullup added    
      Tue Feb 13 11:07:27 2018  ghudson - Target_Version 1.16-next added    
      Tue Feb 13 11:07:27 2018  ghudson - Target_Version 1.15-next added    
      Wed May  2 01:25:33 2018  ghudson - Version_Fixed 1.16.1 added    
      Wed May  2 01:25:33 2018  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: git commit


Fix flaws in LDAP DN checking

KDB_TL_USER_INFO tl-data is intended to be internal to the LDAP KDB
module, and not used in disk or wire principal entries.  Prevent
kadmin clients from sending KDB_TL_USER_INFO tl-data by giving it a
type number less than 256 and filtering out type numbers less than 256
in kadm5_create_principal_3().  (We already filter out low type
numbers in kadm5_modify_principal()).

In the LDAP KDB module, if containerdn and linkdn are both specified
in a put_principal operation, check both linkdn and the computed
standalone_principal_dn for container membership.  To that end, factor
out the checks into helper functions and call them on all applicable
client-influenced DNs.

CVE-2018-5729:

In MIT krb5 1.6 or later, an authenticated kadmin user with permission
to add principals to an LDAP Kerberos database can cause a null
dereference in kadmind, or circumvent a DN container check, by
supplying tagged data intended to be internal to the database module.
Thanks to Sharwan Ram and Pooja Anil for discovering the potential
null dereference.

CVE-2018-5730:

In MIT krb5 1.6 or later, an authenticated kadmin user with permission
to add principals to an LDAP Kerberos database can circumvent a DN
containership check by supplying both a "linkdn" and "containerdn"
database argument, or by supplying a DN string which is a left
extension of a container DN string but is not hierarchically within
the container DN.

(cherry picked from commit e1caf6fb74981da62039846931ebdffed71309d1)

https://github.com/krb5/krb5/commit/dcfdea5477fa74b06b098f8888e5b4b2642ab38a
Author: Greg Hudson <ghudson@mit.edu>
Commit: dcfdea5477fa74b06b098f8888e5b4b2642ab38a
Branch: krb5-1.16
 src/lib/kadm5/srv/svr_principal.c                  |    7 +
 src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h        |    2 +-
 src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c |  200 +++++++++++---------
 src/tests/t_kdb.py                                 |   11 +
 4 files changed, 125 insertions(+), 95 deletions(-)


Download (untitled) 1.9k
      Wed May  2 01:25:59 2018  ghudson - Version_Fixed 1.15.3 added    
      Wed May  2 01:25:59 2018  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: git commit


Fix flaws in LDAP DN checking

KDB_TL_USER_INFO tl-data is intended to be internal to the LDAP KDB
module, and not used in disk or wire principal entries.  Prevent
kadmin clients from sending KDB_TL_USER_INFO tl-data by giving it a
type number less than 256 and filtering out type numbers less than 256
in kadm5_create_principal_3().  (We already filter out low type
numbers in kadm5_modify_principal()).

In the LDAP KDB module, if containerdn and linkdn are both specified
in a put_principal operation, check both linkdn and the computed
standalone_principal_dn for container membership.  To that end, factor
out the checks into helper functions and call them on all applicable
client-influenced DNs.

CVE-2018-5729:

In MIT krb5 1.6 or later, an authenticated kadmin user with permission
to add principals to an LDAP Kerberos database can cause a null
dereference in kadmind, or circumvent a DN container check, by
supplying tagged data intended to be internal to the database module.
Thanks to Sharwan Ram and Pooja Anil for discovering the potential
null dereference.

CVE-2018-5730:

In MIT krb5 1.6 or later, an authenticated kadmin user with permission
to add principals to an LDAP Kerberos database can circumvent a DN
containership check by supplying both a "linkdn" and "containerdn"
database argument, or by supplying a DN string which is a left
extension of a container DN string but is not hierarchically within
the container DN.

(cherry picked from commit e1caf6fb74981da62039846931ebdffed71309d1)

https://github.com/krb5/krb5/commit/a2df94b6bb22ecf6e77c5044cff0f627b4fb30cf
Author: Greg Hudson <ghudson@mit.edu>
Commit: a2df94b6bb22ecf6e77c5044cff0f627b4fb30cf
Branch: krb5-1.15
 src/lib/kadm5/srv/svr_principal.c                  |    7 +
 src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h        |    2 +-
 src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c |  200 +++++++++++---------
 src/tests/t_kdb.py                                 |   14 ++
 4 files changed, 128 insertions(+), 95 deletions(-)


Download (untitled) 1.9k
      Wed May  2 10:16:07 2018  ghudson - Keyword pullup deleted