Remote unauthenticated DoS in Heimdal-KDC 7.1

[Natureshadow]

The following was reported in the Debian bug tracker at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878144

heimdal-kdc 7.1.0 is regularly observed to crash due to malformed client names in client requests received over the internet.

heimdal-kdc.log.5.gz:2017-08-06T12:06:05 AS-REQ malformed client name from IPv4:71.6.167.142

This leads to a segfault:

kdc[24683]: segfault at 18 ip 00007f8a096715d0 sp 00007ffd48ba4b28 error 4 in libasn1.so.8.0.0[7f8a095ea000+a7000]

The related code is in lib/asn1/der_length.c:

size_t der_length_visible_string (const heim_visible_string *data)
{
    return strlen(*data);
}

Proposed patch:

if (!data) return 0;
else return strlen(*data);

It would be good to have this fix, or another one, approved quickly so we can get a patch in Debian's security release.

[Natureshadow]

The Debian bug report also contains a PoC exploit code. Unfortunately, responsible disclosure is not possible anymore as the bug was directly reported publicly in the Debian BTS after the Heimdal maintainers failed to reply to private mail.

It seems advisable to get a CVE ID and make an advisory.

[abartlet]

I'm going to start looking at this today.

[jaltman]

There was a patch sent to a public heimdal mailing list over the Summer. That patch was not accepted because there were open questions regarding what the proper error handling should be both for the missing client_princ as well as a potential missing server_princ which is permitted by RFC4120 in some situations but not others.

Patching the der_length_xxxx() functions to return 0 for NULL pointer across the board makes sense from a cleanliness perspective. However, _kdc_as_rep() must still be properly reviewed so that _kdc_fast_mk_error() is only called with valid input and only when appropriate.

For example, in this particular case, the AS_REQ packets with an empty client principal are being sent in order to inventory KDC processes around the world. It might be best to not send an error reply and simply drop the request instead.

[Natureshadow]

Agreed.

So, it would be great if we could get some patch very soon. Who is responsible for requesting a CVE identifier, so we can start tracking this security issue?

[abartlet]

I've not been able to reproduce this against Samba, so it looks like we lucked out given the age of our snapshot, as we don't have the changes in a873e21 yet.

These changes came from Samba. @metze-samba is the author and I reveiwed them, however Samba master only has the parent commit 25f3db9 (as 454db47eac1816efc28e3bdae188e784ee3a502e).

The issue is in forming the error reply packet based on variables sent by the client, which is why a log message is printed.

[abartlet]

To help others trying to follow this, the above referenced mail thread is:

http://www.h5l.org/pipermail/heimdal-discuss/2017-August/000259.html

[abartlet]

Fixed in master by 1a6a6e4 and in 7.1 by 749d377. Thanks!

I'll leave this for others to close once the CVE is assigned and a security release is made etc. Let me know if you have trouble getting a CVE and I'm sure I can prod the right folks.

[Natureshadow]

I requested a CVE ID at MITRE.

[Natureshadow]

Will there be a security release for this? If not, I will patch 7.4.0 in Debian with a patch.

[Natureshadow]

CVE-2017-17439

[Natureshadow]

¿Hola?

[jaltman]

@Natureshadow,

Thank you for obtaining the CVE. The heimdal-7.5.0 tag was pushed yesterday by @vdukhovni.