From: | ghudson@mit.edu |
Subject: | git commit |
Fix flaws in LDAP DN checking
KDB_TL_USER_INFO tl-data is intended to be internal to the LDAP KDB
module, and not used in disk or wire principal entries. Prevent
kadmin clients from sending KDB_TL_USER_INFO tl-data by giving it a
type number less than 256 and filtering out type numbers less than 256
in kadm5_create_principal_3(). (We already filter out low type
numbers in kadm5_modify_principal()).
In the LDAP KDB module, if containerdn and linkdn are both specified
in a put_principal operation, check both linkdn and the computed
standalone_principal_dn for container membership. To that end, factor
out the checks into helper functions and call them on all applicable
client-influenced DNs.
CVE-2018-5729:
In MIT krb5 1.6 or later, an authenticated kadmin user with permission
to add principals to an LDAP Kerberos database can cause a null
dereference in kadmind, or circumvent a DN container check, by
supplying tagged data intended to be internal to the database module.
Thanks to Sharwan Ram and Pooja Anil for discovering the potential
null dereference.
CVE-2018-5730:
In MIT krb5 1.6 or later, an authenticated kadmin user with permission
to add principals to an LDAP Kerberos database can circumvent a DN
containership check by supplying both a "linkdn" and "containerdn"
database argument, or by supplying a DN string which is a left
extension of a container DN string but is not hierarchically within
the container DN.
https://github.com/krb5/krb5/commit/e1caf6fb74981da62039846931ebdffed71309d1
Author: Greg Hudson <ghudson@mit.edu>
Commit: e1caf6fb74981da62039846931ebdffed71309d1
Branch: master
src/lib/kadm5/srv/svr_principal.c | 7 +
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 2 +-
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 200 +++++++++++---------
src/tests/t_kdb.py | 11 +
4 files changed, 125 insertions(+), 95 deletions(-)