-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remote unauthenticated DoS in Heimdal-KDC 7.1 #353
Comments
The Debian bug report also contains a PoC exploit code. Unfortunately, responsible disclosure is not possible anymore as the bug was directly reported publicly in the Debian BTS after the Heimdal maintainers failed to reply to private mail. It seems advisable to get a CVE ID and make an advisory. |
I'm going to start looking at this today. |
There was a patch sent to a public heimdal mailing list over the Summer. That patch was not accepted because there were open questions regarding what the proper error handling should be both for the missing client_princ as well as a potential missing server_princ which is permitted by RFC4120 in some situations but not others. Patching the der_length_xxxx() functions to return 0 for NULL pointer across the board makes sense from a cleanliness perspective. However, _kdc_as_rep() must still be properly reviewed so that _kdc_fast_mk_error() is only called with valid input and only when appropriate. For example, in this particular case, the AS_REQ packets with an empty client principal are being sent in order to inventory KDC processes around the world. It might be best to not send an error reply and simply drop the request instead. |
Agreed. So, it would be great if we could get some patch very soon. Who is responsible for requesting a CVE identifier, so we can start tracking this security issue? |
I've not been able to reproduce this against Samba, so it looks like we lucked out given the age of our snapshot, as we don't have the changes in a873e21 yet. These changes came from Samba. @metze-samba is the author and I reveiwed them, however Samba master only has the parent commit 25f3db9 (as 454db47eac1816efc28e3bdae188e784ee3a502e). The issue is in forming the error reply packet based on variables sent by the client, which is why a log message is printed. |
To help others trying to follow this, the above referenced mail thread is: http://www.h5l.org/pipermail/heimdal-discuss/2017-August/000259.html |
I requested a CVE ID at MITRE. |
Will there be a security release for this? If not, I will patch 7.4.0 in Debian with a patch. |
¿Hola? |
Thank you for obtaining the CVE. The heimdal-7.5.0 tag was pushed yesterday by @vdukhovni. |
The following was reported in the Debian bug tracker at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878144
heimdal-kdc 7.1.0 is regularly observed to crash due to malformed client names in client requests received over the internet.
heimdal-kdc.log.5.gz:2017-08-06T12:06:05 AS-REQ malformed client name from IPv4:71.6.167.142
This leads to a segfault:
kdc[24683]: segfault at 18 ip 00007f8a096715d0 sp 00007ffd48ba4b28 error 4 in libasn1.so.8.0.0[7f8a095ea000+a7000]
The related code is in lib/asn1/der_length.c:
Proposed patch:
It would be good to have this fix, or another one, approved quickly so we can get a patch in Debian's security release.
The text was updated successfully, but these errors were encountered: