Ticket History #7970: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344]

# Mon Jul 21 13:04:23 2014 ghudson@mit.edu (Greg Hudson) - Ticket created

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 1.1KiB

Fix null deref in SPNEGO acceptor [CVE-2014-4344]

When processing a continuation token, acc_ctx_cont was dereferencing
the initial byte of the token without checking the length. This could
result in a null dereference.

CVE-2014-4344:

In MIT krb5 1.5 and newer, an unauthenticated or partially
authenticated remote attacker can cause a NULL dereference and
application crash during a SPNEGO negotiation by sending an empty
token as the second or later context token from initiator to acceptor.
The attacker must provide at least one valid context token in the
security context negotiation before sending the empty token. This can
be done by an unauthenticated attacker by forcing SPNEGO to
renegotiate the underlying mechanism, or by using IAKERB to wrap an
unauthenticated AS-REQ as the first token.

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

[kaduk@mit.edu: CVE summary, CVSSv2 vector]

https://github.com/krb5/krb5/commit/524688ce87a15fc75f87efc8c039ba4c7d5c197b
Author: Greg Hudson <ghudson@mit.edu>
Commit: 524688ce87a15fc75f87efc8c039ba4c7d5c197b
Branch: master
src/lib/gssapi/spnego/spnego_mech.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

# Mon Jul 21 13:04:23 2014 ghudson@mit.edu (Greg Hudson) - Requestor ghudson@mit.edu (Greg Hudson) added

# Mon Jul 21 13:04:23 2014 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'review'

# Mon Jul 21 13:04:23 2014 ghudson@mit.edu (Greg Hudson) - Tags pullup added

# Mon Jul 21 13:04:23 2014 ghudson@mit.edu (Greg Hudson) - Target_Version 1.12.2 added

# Mon Jul 21 18:33:48 2014 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'

# Mon Jul 21 18:33:48 2014 tlyu (Taylor Yu) - Version_Fixed 1.12.2 added

# Mon Jul 21 18:33:48 2014 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 1.2KiB

Fix null deref in SPNEGO acceptor [CVE-2014-4344]

When processing a continuation token, acc_ctx_cont was dereferencing
the initial byte of the token without checking the length. This could
result in a null dereference.

CVE-2014-4344:

In MIT krb5 1.5 and newer, an unauthenticated or partially
authenticated remote attacker can cause a NULL dereference and
application crash during a SPNEGO negotiation by sending an empty
token as the second or later context token from initiator to acceptor.
The attacker must provide at least one valid context token in the
security context negotiation before sending the empty token. This can
be done by an unauthenticated attacker by forcing SPNEGO to
renegotiate the underlying mechanism, or by using IAKERB to wrap an
unauthenticated AS-REQ as the first token.

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

[kaduk@mit.edu: CVE summary, CVSSv2 vector]

(cherry picked from commit 524688ce87a15fc75f87efc8c039ba4c7d5c197b)

https://github.com/krb5/krb5/commit/a7886f0ed1277c69142b14a2c6629175a6331edc
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: a7886f0ed1277c69142b14a2c6629175a6331edc
Branch: krb5-1.12
src/lib/gssapi/spnego/spnego_mech.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

# Wed Dec 16 18:03:02 2015 tlyu (Taylor Yu) - CustomField pullup deleted