|
 |
e152901 |
commit f18ddf5d82de0ab7591a36e465bc24225776940f
|
|
|
e152901 |
Author: David Woodhouse <David.Woodhouse@intel.com>
|
|
|
e152901 |
Date: Tue Jul 15 12:54:15 2014 -0400
|
|
|
e152901 |
|
|
|
e152901 |
Fix double-free in SPNEGO [CVE-2014-4343]
|
|
|
e152901 |
|
|
|
e152901 |
In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
|
|
|
e152901 |
pointer sc->internal_mech became an alias into sc->mech_set->elements,
|
|
|
e152901 |
which should be considered constant for the duration of the SPNEGO
|
|
|
e152901 |
context. So don't free it.
|
|
|
e152901 |
|
|
|
e152901 |
CVE-2014-4343:
|
|
|
e152901 |
|
|
|
e152901 |
In MIT krb5 releases 1.10 and newer, an unauthenticated remote
|
|
|
e152901 |
attacker with the ability to spoof packets appearing to be from a
|
|
|
e152901 |
GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
|
|
|
e152901 |
(clients) which are using the SPNEGO mechanism, by returning a
|
|
|
e152901 |
different underlying mechanism than was proposed by the initiator. At
|
|
|
e152901 |
this stage of the negotiation, the acceptor is unauthenticated, and
|
|
|
e152901 |
the acceptor's response could be spoofed by an attacker with the
|
|
|
e152901 |
ability to inject traffic to the initiator.
|
|
|
e152901 |
|
|
|
e152901 |
Historically, some double-free vulnerabilities can be translated into
|
|
|
e152901 |
remote code execution, though the necessary exploits must be tailored
|
|
|
e152901 |
to the individual application and are usually quite
|
|
|
e152901 |
complicated. Double-frees can also be exploited to cause an
|
|
|
e152901 |
application crash, for a denial of service. However, most GSSAPI
|
|
|
e152901 |
client applications are not vulnerable, as the SPNEGO mechanism is not
|
|
|
e152901 |
used by default (when GSS_C_NO_OID is passed as the mech_type argument
|
|
|
e152901 |
to gss_init_sec_context()). The most common use of SPNEGO is for
|
|
|
e152901 |
HTTP-Negotiate, used in web browsers and other web clients. Most such
|
|
|
e152901 |
clients are believed to not offer HTTP-Negotiate by default, instead
|
|
|
e152901 |
requiring a whitelist of sites for which it may be used to be
|
|
|
e152901 |
configured. If the whitelist is configured to only allow
|
|
|
e152901 |
HTTP-Negotiate over TLS connections ("https://"), a successful
|
|
|
e152901 |
attacker must also spoof the web server's SSL certificate, due to the
|
|
|
e152901 |
way the WWW-Authenticate header is sent in a 401 (Unauthorized)
|
|
|
e152901 |
response message. Unfortunately, many instructions for enabling
|
|
|
e152901 |
HTTP-Negotiate in common web browsers do not include a TLS
|
|
|
e152901 |
requirement.
|
|
|
e152901 |
|
|
|
e152901 |
CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
|
|
|
e152901 |
|
|
|
e152901 |
[kaduk@mit.edu: CVE summary and CVSSv2 vector]
|
|
|
e152901 |
|
|
|
e152901 |
ticket: 7969 (new)
|
|
|
e152901 |
target_version: 1.12.2
|
|
|
e152901 |
tags: pullup
|
|
|
1201bf9 |
|
|
|
1201bf9 |
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
|
|
1201bf9 |
index 173c6d2..8f829d8 100644
|
|
|
1201bf9 |
--- a/src/lib/gssapi/spnego/spnego_mech.c
|
|
|
1201bf9 |
+++ b/src/lib/gssapi/spnego/spnego_mech.c
|
|
|
1201bf9 |
@@ -818,7 +818,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
|
|
|
1201bf9 |
OM_uint32 tmpmin;
|
|
|
1201bf9 |
size_t i;
|
|
|
1201bf9 |
|
|
|
1201bf9 |
- generic_gss_release_oid(&tmpmin, &sc->internal_mech);
|
|
|
1201bf9 |
gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
|
|
|
1201bf9 |
GSS_C_NO_BUFFER);
|
|
|
1201bf9 |
|