New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remote unauthenticated DoS in Heimdal-KDC 7.1 #353

Closed
Natureshadow opened this Issue Dec 5, 2017 · 12 comments

Comments

Projects
None yet
5 participants
@Natureshadow

Natureshadow commented Dec 5, 2017

The following was reported in the Debian bug tracker at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878144

heimdal-kdc 7.1.0 is regularly observed to crash due to malformed client names in client requests received over the internet.

heimdal-kdc.log.5.gz:2017-08-06T12:06:05 AS-REQ malformed client name from IPv4:71.6.167.142

This leads to a segfault:

kdc[24683]: segfault at 18 ip 00007f8a096715d0 sp 00007ffd48ba4b28 error 4 in libasn1.so.8.0.0[7f8a095ea000+a7000]

The related code is in lib/asn1/der_length.c:

size_t der_length_visible_string (const heim_visible_string *data)
{
    return strlen(*data);
}

Proposed patch:

if (!data) return 0;
else return strlen(*data);

It would be good to have this fix, or another one, approved quickly so we can get a patch in Debian's security release.

@Natureshadow

This comment has been minimized.

Show comment
Hide comment
@Natureshadow

Natureshadow Dec 5, 2017

The Debian bug report also contains a PoC exploit code. Unfortunately, responsible disclosure is not possible anymore as the bug was directly reported publicly in the Debian BTS after the Heimdal maintainers failed to reply to private mail.

It seems advisable to get a CVE ID and make an advisory.

Natureshadow commented Dec 5, 2017

The Debian bug report also contains a PoC exploit code. Unfortunately, responsible disclosure is not possible anymore as the bug was directly reported publicly in the Debian BTS after the Heimdal maintainers failed to reply to private mail.

It seems advisable to get a CVE ID and make an advisory.

@abartlet

This comment has been minimized.

Show comment
Hide comment
@abartlet

abartlet Dec 5, 2017

Member

I'm going to start looking at this today.

Member

abartlet commented Dec 5, 2017

I'm going to start looking at this today.

@jaltman

This comment has been minimized.

Show comment
Hide comment
@jaltman

jaltman Dec 5, 2017

Member

There was a patch sent to a public heimdal mailing list over the Summer. That patch was not accepted because there were open questions regarding what the proper error handling should be both for the missing client_princ as well as a potential missing server_princ which is permitted by RFC4120 in some situations but not others.

Patching the der_length_xxxx() functions to return 0 for NULL pointer across the board makes sense from a cleanliness perspective. However, _kdc_as_rep() must still be properly reviewed so that _kdc_fast_mk_error() is only called with valid input and only when appropriate.

For example, in this particular case, the AS_REQ packets with an empty client principal are being sent in order to inventory KDC processes around the world. It might be best to not send an error reply and simply drop the request instead.

Member

jaltman commented Dec 5, 2017

There was a patch sent to a public heimdal mailing list over the Summer. That patch was not accepted because there were open questions regarding what the proper error handling should be both for the missing client_princ as well as a potential missing server_princ which is permitted by RFC4120 in some situations but not others.

Patching the der_length_xxxx() functions to return 0 for NULL pointer across the board makes sense from a cleanliness perspective. However, _kdc_as_rep() must still be properly reviewed so that _kdc_fast_mk_error() is only called with valid input and only when appropriate.

For example, in this particular case, the AS_REQ packets with an empty client principal are being sent in order to inventory KDC processes around the world. It might be best to not send an error reply and simply drop the request instead.

@Natureshadow

This comment has been minimized.

Show comment
Hide comment
@Natureshadow

Natureshadow Dec 5, 2017

Agreed.

So, it would be great if we could get some patch very soon. Who is responsible for requesting a CVE identifier, so we can start tracking this security issue?

Natureshadow commented Dec 5, 2017

Agreed.

So, it would be great if we could get some patch very soon. Who is responsible for requesting a CVE identifier, so we can start tracking this security issue?

@abartlet

This comment has been minimized.

Show comment
Hide comment
@abartlet

abartlet Dec 5, 2017

Member

I've not been able to reproduce this against Samba, so it looks like we lucked out given the age of our snapshot, as we don't have the changes in a873e21 yet.

These changes came from Samba. @metze-samba is the author and I reveiwed them, however Samba master only has the parent commit 25f3db9 (as 454db47eac1816efc28e3bdae188e784ee3a502e).

The issue is in forming the error reply packet based on variables sent by the client, which is why a log message is printed.

Member

abartlet commented Dec 5, 2017

I've not been able to reproduce this against Samba, so it looks like we lucked out given the age of our snapshot, as we don't have the changes in a873e21 yet.

These changes came from Samba. @metze-samba is the author and I reveiwed them, however Samba master only has the parent commit 25f3db9 (as 454db47eac1816efc28e3bdae188e784ee3a502e).

The issue is in forming the error reply packet based on variables sent by the client, which is why a log message is printed.

@abartlet

This comment has been minimized.

Show comment
Hide comment
@abartlet

abartlet Dec 5, 2017

Member

To help others trying to follow this, the above referenced mail thread is:

http://www.h5l.org/pipermail/heimdal-discuss/2017-August/000259.html

Member

abartlet commented Dec 5, 2017

To help others trying to follow this, the above referenced mail thread is:

http://www.h5l.org/pipermail/heimdal-discuss/2017-August/000259.html

@abartlet

This comment has been minimized.

Show comment
Hide comment
@abartlet

abartlet Dec 6, 2017

Member

Fixed in master by 1a6a6e4 and in 7.1 by 749d377. Thanks!

I'll leave this for others to close once the CVE is assigned and a security release is made etc. Let me know if you have trouble getting a CVE and I'm sure I can prod the right folks.

Member

abartlet commented Dec 6, 2017

Fixed in master by 1a6a6e4 and in 7.1 by 749d377. Thanks!

I'll leave this for others to close once the CVE is assigned and a security release is made etc. Let me know if you have trouble getting a CVE and I'm sure I can prod the right folks.

@Natureshadow

This comment has been minimized.

Show comment
Hide comment
@Natureshadow

Natureshadow Dec 6, 2017

I requested a CVE ID at MITRE.

Natureshadow commented Dec 6, 2017

I requested a CVE ID at MITRE.

@Natureshadow

This comment has been minimized.

Show comment
Hide comment
@Natureshadow

Natureshadow Dec 6, 2017

Will there be a security release for this? If not, I will patch 7.4.0 in Debian with a patch.

Natureshadow commented Dec 6, 2017

Will there be a security release for this? If not, I will patch 7.4.0 in Debian with a patch.

@Natureshadow

This comment has been minimized.

Show comment
Hide comment
@Natureshadow

Natureshadow Dec 6, 2017

CVE-2017-17439

Natureshadow commented Dec 6, 2017

CVE-2017-17439

@Natureshadow

This comment has been minimized.

Show comment
Hide comment
@Natureshadow

Natureshadow commented Dec 8, 2017

¿Hola?

@jaltman

This comment has been minimized.

Show comment
Hide comment
@jaltman

jaltman Dec 8, 2017

Member

@Natureshadow,

Thank you for obtaining the CVE. The heimdal-7.5.0 tag was pushed yesterday by @vdukhovni.

Member

jaltman commented Dec 8, 2017

@Natureshadow,

Thank you for obtaining the CVE. The heimdal-7.5.0 tag was pushed yesterday by @vdukhovni.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment