Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix KDC null deref on TGS inner body null server
After the KDC decodes a FAST inner body, it does not check for a null
server.  Prior to commit 39548a5 this
would typically result in an error from krb5_unparse_name(), but with
the addition of get_local_tgt() it results in a null dereference.  Add
a null check.

Reported by Joseph Sutton of Catalyst.

CVE-2021-37750:

In MIT krb5 releases 1.14 and later, an authenticated attacker can
cause a null dereference in the KDC by sending a FAST TGS request with
no server field.

ticket: 9008 (new)
tags: pullup
target_version: 1.19-next
target_version: 1.18-next
  • Loading branch information
greghudson committed Aug 19, 2021
1 parent 35fac31 commit d775c95
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions src/kdc/do_tgs_req.c
Expand Up @@ -204,6 +204,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
status = "FIND_FAST";
goto cleanup;
}
if (sprinc == NULL) {
status = "NULL_SERVER";
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto cleanup;
}

errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
&local_tgt, &local_tgt_storage, &local_tgt_key);
Expand Down

0 comments on commit d775c95

Please sign in to comment.