← Back to team overview

touch-packages team mailing list archive

[Bug 1354714] [NEW] buffer overrun in kadmind with ldap backend

 

*** This bug is a security vulnerability ***

Public security bug reported:

    Fix LDAP key data segmentation [CVE-2014-4345]
    
    For principal entries having keys with multiple kvnos (due to use of
    -keepold), the LDAP KDB module makes an attempt to store all the keys
    having the same kvno into a single krbPrincipalKey attribute value.
    There is a fencepost error in the loop, causing currkvno to be set to
    the just-processed value instead of the next kvno.  As a result, the
    second and all following groups of multiple keys by kvno are each
    stored in two krbPrincipalKey attribute values.  Fix the loop to use
    the correct kvno value.
    
    CVE-2014-4345:
    
    In MIT krb5, when kadmind is configured to use LDAP for the KDC
    database, an authenticated remote attacker can cause it to perform an
    out-of-bounds write (buffer overrun) by performing multiple cpw
    -keepold operations.  An off-by-one error while copying key
    information to the new database entry results in keys sharing a common
    kvno being written to different array buckets, in an array whose size
    is determined by the number of kvnos present.  After sufficient
    iterations, the extra writes extend past the end of the
    (NULL-terminated) array.  The NULL terminator is always written after
    the end of the loop, so no out-of-bounds data is read, it is only
    written.
    
    Historically, it has been possible to convert an out-of-bounds write
    into remote code execution in some cases, though the necessary
    exploits must be tailored to the individual application and are
    usually quite complicated.  Depending on the allocated length of the
    array, an out-of-bounds write may also cause a segmentation fault
    and/or application crash.
    
        CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

** Affects: krb5 (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: krb5 (Debian)
     Importance: Unknown
         Status: Unknown

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-4345

** Bug watch added: Debian Bug tracker #757416
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=757416

** Also affects: krb5 (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=757416
   Importance: Unknown
       Status: Unknown

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1354714

Title:
  buffer overrun in kadmind with ldap backend

Status in “krb5” package in Ubuntu:
  New
Status in “krb5” package in Debian:
  Unknown

Bug description:
      Fix LDAP key data segmentation [CVE-2014-4345]
      
      For principal entries having keys with multiple kvnos (due to use of
      -keepold), the LDAP KDB module makes an attempt to store all the keys
      having the same kvno into a single krbPrincipalKey attribute value.
      There is a fencepost error in the loop, causing currkvno to be set to
      the just-processed value instead of the next kvno.  As a result, the
      second and all following groups of multiple keys by kvno are each
      stored in two krbPrincipalKey attribute values.  Fix the loop to use
      the correct kvno value.
      
      CVE-2014-4345:
      
      In MIT krb5, when kadmind is configured to use LDAP for the KDC
      database, an authenticated remote attacker can cause it to perform an
      out-of-bounds write (buffer overrun) by performing multiple cpw
      -keepold operations.  An off-by-one error while copying key
      information to the new database entry results in keys sharing a common
      kvno being written to different array buckets, in an array whose size
      is determined by the number of kvnos present.  After sufficient
      iterations, the extra writes extend past the end of the
      (NULL-terminated) array.  The NULL terminator is always written after
      the end of the loop, so no out-of-bounds data is read, it is only
      written.
      
      Historically, it has been possible to convert an out-of-bounds write
      into remote code execution in some cases, though the necessary
      exploits must be tailored to the individual application and are
      usually quite complicated.  Depending on the allocated length of the
      array, an out-of-bounds write may also cause a segmentation fault
      and/or application crash.
      
          CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1354714/+subscriptions


Follow ups

References