-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

MITKRB5-SA-2014-001

MIT krb5 Security Advisory 2014-001
Original release: 2014-08-07
Last update: 2014-08-07

Topic: Buffer overrun in kadmind with LDAP backend

CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score: 8.5

Access Vector: Network
Access Complexity: Medium
Authentication: Single
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete

CVSSv2 Temporal Score: 6.7

Exploitability: Proof-of-Concept
Remediation Level: Official Fix
Report Confidence: Confirmed

SUMMARY

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause it to perform an
out-of-bounds write (buffer overflow). This is not a protocol
vulnerability. Using LDAP for the KDC database is a non-default
configuration for the KDC.

IMPACT

Historically, it has been possible to convert an out-of-bounds write
into remote code execution in some cases, though the necessary exploits
must be tailored to the individual application and are usually quite
complicated. Depending on the allocated length of the array, an
out-of-bounds write may also cause a segmentation fault and/or
application crash.

AFFECTED SOFTWARE

• The kadmind daemon from MIT krb5 releases 1.6 to 1.12.2, when
  configured to use the LDAP backend for the KDB, is vulnerable.
  Releases of MIT krb5 prior to 1.6 did not provide the ability to use
  LDAP for the KDB backend.

FIXES

• Workaround: disable or restrict access to kadmind until a patched
  version can be installed. This will prevent principal creation,
  password changes, keytab updates, and other administrative operations.

• The krb5-1.12.2 and krb5-1.11.6 releases will contain a fix for this
  vulnerability.

diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index ce851ea…df5934c 100644

• — a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
  +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
  @@ -456,7 +456,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
  j++;
  last = i + 1;

• •        currkvno = key_data[i].key_data_kvno;
    

•        if (i < n_key_data - 1)
  

•            currkvno = key_data[i + 1].key_data_kvno;
     }
  

  }
  ret[num_versions] = NULL;

  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2014-001-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2014-001-patch.txt.asc

REFERENCES

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2014-001.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

    http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

    http://web.mit.edu/kerberos/index.html

CVSSv2:

http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2014-4345
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4345

ACKNOWLEDGMENTS

This off-by-one error was reported by Tomas Kuthan as github pull
request #181 and recognized as a vulnerability by Greg Hudson.

CONTACT

The MIT Kerberos Team security contact address is
<[email protected]>. When sending sensitive information,
please PGP-encrypt it using the following key:

pub 2048R/C436A9C6 2014-01-07 [expires: 2015-02-01]
Key fingerprint = 1849 02FF 0CA8 A385 F28D 2E7E 2AF0 C1EA C436 A9C6
uid MIT Kerberos Team Security Contact <[email protected]>

DETAILS

The 'cpw -keepold' functionality allows for the existing keys to be
retained at password-change (or keytab-change) time, instead of being
discarded as usual. An array must be allocated to store all the old
keys, as well as the new keys and a NULL terminator. In normal
operation, all the keys for a single kvno will share an array slot. An
off-by-one error while copying key information to the new array results
in keys sharing a common kvno being written to different array buckets,
with the first key of a kvno betting a single bucket, and the remaining
keys getting the next bucket. After sufficient iterations, the extra
writes extend past the end of the (NULL-terminated) array. The NULL
terminator is always written after the end of the loop, so no
out-of-bounds data is read, it is only written.

REVISION HISTORY

2014-08-07 original release

Copyright (C) 2014 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGgBAEBCAAGBQJT4/duAAoJECjZpvNk63USrnQMH2t7UgKODNopFrkpAU7Tn0LH
NFhMSHGLbAe6+K/wcvqlmuNI1lvcqTGu8/U2cIOw+E4m+MiUpR8gFQd5UP8+wnpJ
mCGhKdvCSgYnxoru06NSvisF4fAm8qij5WSEA7/CSqOSCmAVsM8VOt/nom+0tZUw
3u7dxfGpvmLEBBNlXiuukHmT7HQvQomqltbwUyyBuBp8S07G1tCWQr5Ei+aUnM5l
vxSoS50ek28nd9TfGEQ3hTYpwQEJw9WVWM4AZG7HDVuEhdexI5RD0r6aE2Tq3Tnp
01htIs9XQxcepV3L84P4F0WXW1rCQjnErTf0ywzFL9sUOzT7CiBQIaJ0m/nWRkz/
UVubpezV8njZ65tCoWX/GYdhwUgc09LMI0GDdBZ5TPmWvpQp7REwFMYVBLjNg/7S
qYzXl8X5jRABUJQxga+G3XenFP+vKIvS4DqqHT3gn7GNdwER4EWl5NAaaNc7yzAN
6g+13gyJcLOiSmT4p3pnCU8bRSHGKj3DnulyyiCj9coxbPc=
=GLjL
-----END PGP SIGNATURE-----