Skip Menu |
 

From: kaduk@MIT.EDU
Subject: SVN Commit

PKINIT null pointer deref [CVE-2013-1415]

Don't dereference a null pointer when cleaning up.

The KDC plugin for PKINIT can dereference a null pointer when a
malformed packet causes processing to terminate early, leading to
a crash of the KDC process. An attacker would need to have a valid
PKINIT certificate or have observed a successful PKINIT authentication,
or an unauthenticated attacker could execute the attack if anonymous
PKINIT is enabled.

CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C

This is a minimal commit for pullup; style fixes in a followup.
[kaduk@mit.edu: reformat and edit commit message]

https://github.com/krb5/krb5/commit/c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed
Author: Xi Wang <xi.wang@gmail.com>
Committer: Ben Kaduk <kaduk@mit.edu>
Commit: c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed
Branch: master
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
This bug has been present since the initial import of PKINIT for 1.6.3; all later releases are
affected.

In particular, we should pull this up to 1.10 and 1.9 at least.
From: tlyu@mit.edu
Subject: SVN Commit

PKINIT null pointer deref [CVE-2013-1415]

Don't dereference a null pointer when cleaning up.

The KDC plugin for PKINIT can dereference a null pointer when a
malformed packet causes processing to terminate early, leading to
a crash of the KDC process. An attacker would need to have a valid
PKINIT certificate or have observed a successful PKINIT authentication,
or an unauthenticated attacker could execute the attack if anonymous
PKINIT is enabled.

CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C

This is a minimal commit for pullup; style fixes in a followup.
[kaduk@mit.edu: reformat and edit commit message]

(cherry picked from commit c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed)

https://github.com/krb5/krb5/commit/f249555301940c6df3a2cdda13b56b5674eebc2e
Author: Xi Wang <xi.wang@gmail.com>
Committer: Tom Yu <tlyu@mit.edu>
Commit: f249555301940c6df3a2cdda13b56b5674eebc2e
Branch: krb5-1.11
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
Download (untitled) / with headers
text/plain 1.5KiB
The detailed analysis:

The process_as_req() function in the KDC has support for pluggable
modules that implement various types of preauthentication. The PKINIT
preauthentication module (using public key cryptography for initial
authentication) is part of the MIT krb5 source distribution, and is
compiled by default when a usable cryptography backend is present.
Before the PKINIT module will be used in AS_REQ processing, it must
be configured in the KDC configuration profile (e.g., kdc.conf).
When processing an AS_REQ of type KRB5_PADATA_PK_AS_REQ, the KDC
performs initial validation of the request, checking the Diffie-Hellman
parameters and verifying the authenticator checksum before proceeding
to check that a KDC public key ID is present and matches the KDC
configuration. During the process of checking for a KDC public key ID,
the KDC must extract an issuer and serial number from the client-supplied
X.509 certificate. If this extraction fails, a null pointer is returned
which the server detects as an error, and the server proceeds to its
cleanup code, which deallocates memory that was allocated to process the
request. This cleanup code unconditionally dereferences the pointer
holding the issuer and serial number information, which is a null pointer
in this error case. This potential for null pointer dereference has
been present since the introduction of the PKINIT code, in krb5-1.6.3.

The vulnerable code executes after substantial validation and processing
of the request, so an attacker must be able to successfully perform
PKINIT preauthentication or observe or modify a valid preauthentication
attempt.