|
 |
e58a44 |
From 3b2376b47a9f1fc7dfd138d4ecc70e5d8897dc2b Mon Sep 17 00:00:00 2001
|
|
|
e58a44 |
From: Greg Hudson <ghudson@mit.edu>
|
|
|
e58a44 |
Date: Thu, 13 Jul 2017 12:14:20 -0400
|
|
|
e58a44 |
Subject: [PATCH] Prevent KDC unset status assertion failures
|
|
|
e58a44 |
|
|
|
e58a44 |
Assign status values if S4U2Self padata fails to decode, if an
|
|
|
e58a44 |
S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request
|
|
|
e58a44 |
uses an evidence ticket which does not match the canonicalized request
|
|
|
e58a44 |
server principal name. Reported by Samuel Cabrero.
|
|
|
e58a44 |
|
|
|
e58a44 |
If a status value is not assigned during KDC processing, default to
|
|
|
e58a44 |
"UNKNOWN_REASON" rather than failing an assertion. This change will
|
|
|
e58a44 |
prevent future denial of service bugs due to similar mistakes, and
|
|
|
e58a44 |
will allow us to omit assigning status values for unlikely errors such
|
|
|
e58a44 |
as small memory allocation failures.
|
|
|
e58a44 |
|
|
|
e58a44 |
CVE-2017-11368:
|
|
|
e58a44 |
|
|
|
e58a44 |
In MIT krb5 1.7 and later, an authenticated attacker can cause an
|
|
|
e58a44 |
assertion failure in krb5kdc by sending an invalid S4U2Self or
|
|
|
e58a44 |
S4U2Proxy request.
|
|
|
e58a44 |
|
|
|
e58a44 |
CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
|
|
|
e58a44 |
|
|
|
e58a44 |
ticket: 8599 (new)
|
|
|
e58a44 |
target_version: 1.15-next
|
|
|
e58a44 |
target_version: 1.14-next
|
|
|
e58a44 |
tags: pullup
|
|
|
e58a44 |
|
|
|
e58a44 |
(cherry picked from commit ffb35baac6981f9e8914f8f3bffd37f284b85970)
|
|
|
e58a44 |
---
|
|
|
e58a44 |
src/kdc/do_as_req.c | 4 ++--
|
|
|
e58a44 |
src/kdc/do_tgs_req.c | 3 ++-
|
|
|
e58a44 |
src/kdc/kdc_util.c | 10 ++++++++--
|
|
|
e58a44 |
3 files changed, 12 insertions(+), 5 deletions(-)
|
|
|
e58a44 |
|
|
|
e58a44 |
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
|
|
|
e58a44 |
index 241b05b40..f5cf8ad89 100644
|
|
|
e58a44 |
--- a/src/kdc/do_as_req.c
|
|
|
e58a44 |
+++ b/src/kdc/do_as_req.c
|
|
|
e58a44 |
@@ -372,8 +372,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
|
|
|
e58a44 |
did_log = 1;
|
|
|
e58a44 |
|
|
|
e58a44 |
egress:
|
|
|
e58a44 |
- if (errcode != 0)
|
|
|
e58a44 |
- assert (state->status != 0);
|
|
|
e58a44 |
+ if (errcode != 0 && state->status == NULL)
|
|
|
e58a44 |
+ state->status = "UNKNOWN_REASON";
|
|
|
e58a44 |
|
|
|
e58a44 |
au_state->status = state->status;
|
|
|
e58a44 |
au_state->reply = &state->reply;
|
|
|
e58a44 |
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
|
|
|
e58a44 |
index 4c722a4a3..0009a9319 100644
|
|
|
e58a44 |
--- a/src/kdc/do_tgs_req.c
|
|
|
e58a44 |
+++ b/src/kdc/do_tgs_req.c
|
|
|
e58a44 |
@@ -829,7 +829,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
|
|
|
e58a44 |
free(reply.enc_part.ciphertext.data);
|
|
|
e58a44 |
|
|
|
e58a44 |
cleanup:
|
|
|
e58a44 |
- assert(status != NULL);
|
|
|
e58a44 |
+ if (status == NULL)
|
|
|
e58a44 |
+ status = "UNKNOWN_REASON";
|
|
|
e58a44 |
if (reply_key)
|
|
|
e58a44 |
krb5_free_keyblock(kdc_context, reply_key);
|
|
|
e58a44 |
if (errcode)
|
|
|
e58a44 |
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
|
|
e58a44 |
index 8cbdf2c5b..5455e2a67 100644
|
|
|
e58a44 |
--- a/src/kdc/kdc_util.c
|
|
|
e58a44 |
+++ b/src/kdc/kdc_util.c
|
|
|
e58a44 |
@@ -1213,8 +1213,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
|
|
|
e58a44 |
req_data.data = (char *)pa_data->contents;
|
|
|
e58a44 |
|
|
|
e58a44 |
code = decode_krb5_pa_for_user(&req_data, &for_user);
|
|
|
e58a44 |
- if (code)
|
|
|
e58a44 |
+ if (code) {
|
|
|
e58a44 |
+ *status = "DECODE_PA_FOR_USER";
|
|
|
e58a44 |
return code;
|
|
|
e58a44 |
+ }
|
|
|
e58a44 |
|
|
|
e58a44 |
code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
|
|
|
e58a44 |
if (code) {
|
|
|
e58a44 |
@@ -1313,8 +1315,10 @@ kdc_process_s4u_x509_user(krb5_context context,
|
|
|
e58a44 |
req_data.data = (char *)pa_data->contents;
|
|
|
e58a44 |
|
|
|
e58a44 |
code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
|
|
|
e58a44 |
- if (code)
|
|
|
e58a44 |
+ if (code) {
|
|
|
e58a44 |
+ *status = "DECODE_PA_S4U_X509_USER";
|
|
|
e58a44 |
return code;
|
|
|
e58a44 |
+ }
|
|
|
e58a44 |
|
|
|
e58a44 |
code = verify_s4u_x509_user_checksum(context,
|
|
|
e58a44 |
tgs_subkey ? tgs_subkey :
|
|
|
e58a44 |
@@ -1617,6 +1621,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
|
|
|
e58a44 |
* that is validated previously in validate_tgs_request().
|
|
|
e58a44 |
*/
|
|
|
e58a44 |
if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
|
|
|
e58a44 |
+ *status = "INVALID_S4U2PROXY_OPTIONS";
|
|
|
e58a44 |
return KRB5KDC_ERR_BADOPTION;
|
|
|
e58a44 |
}
|
|
|
e58a44 |
|
|
|
e58a44 |
@@ -1624,6 +1629,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
|
|
|
e58a44 |
if (!krb5_principal_compare(kdc_context,
|
|
|
e58a44 |
server->princ, /* after canon */
|
|
|
e58a44 |
server_princ)) {
|
|
|
e58a44 |
+ *status = "EVIDENCE_TICKET_MISMATCH";
|
|
|
e58a44 |
return KRB5KDC_ERR_SERVER_NOMATCH;
|
|
|
e58a44 |
}
|
|
|
e58a44 |
|