MITKRB5-SA-2009-001: multiple vulnerabilities in SPNEGO, ASN.1 decoder [CVE-2009-0844 CVE-2009-0845 CVE-2009-0847]

[Tom Yu <tlyu@xxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2009-001

MIT krb5 Security Advisory 2009-001
Original release: 2009-04-07
Last update: 2009-04-07

Topic: multiple vulnerabilities in SPNEGO, ASN.1 decoder

[CVE-2009-0844]
SPNEGO implementation can read beyond buffer end

CVSSv2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score:      8.5

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: Partial
Integrity Impact:       None
Availability Impact:    Complete

CVSSv2 Temporal Score:  6.7

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

[CVE-2009-0845]
SPNEGO implementation can dereference a null pointer

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score:      7.8
CVSSv2 Temporal Score:  6.1

[CVE-2009-0847]
ASN.1 decoder incorrect length validation

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score:      7.8
CVSSv2 Temporal Score:  6.1

See DETAILS for the expanded CVSSv2 metrics for CVE-2009-0845 and
CVE-2009-0847.

SUMMARY
=======

These are implementation vulnerabilities in MIT krb5, and not
vulnerabilities in the Kerberos protocol.

[CVE-2009-0844]

The MIT krb5 implementation of the SPNEGO GSS-API mechanism can read
beyond the end of a network input buffer.  This can cause a GSS-API
application to crash by reading from invalid address space.  Under
theoretically possible but very unlikely conditions, a small
information leak may occur.  We believe that no successful exploit
exists that could induce an information leak.

[CVE-2009-0845]

The MIT krb5 implementation of the SPNEGO GSS-API mechanism can
dereference a null pointer under error conditions. This can cause a
GSS-API application to crash.  This vulnerability was previously
publicly disclosed.

[CVE-2009-0847]

MIT krb5 can perform an incorrect length check inside an ASN.1
decoder.  This only presents a problem in the PK-INIT code paths.  In
the MIT krb5 KDC or kinit program, this could lead to spurious
malloc() failures or, under some conditions, program crash.  We have
heard reports of the spurious malloc() failures, but nobody has yet
made the publicly made the connection to a security issue.

IMPACT
======

[CVE-2009-0844] An unauthenticated, remote attacker could cause a
GSS-API application, including the Kerberos administration daemon
(kadmind) to crash.  Under extremely unlikely conditions, there may be
a theoretical possibility of a small information disclosure.

[CVE-2009-0845] An unauthenticated, remote attacker could cause a
GSS-API application, including the Kerberos administration daemon
(kadmind) to crash.

[CVE-2009-0847] An unauthenticated, remote attacker could cause a KDC
or kinit program to crash.

AFFECTED SOFTWARE
=================

[CVE-2009-0844 CVE-2009-0845]

* kadmind in MIT releases krb5-1.5 and later

* FTP daemon in MIT releases krb5-1.5 and later

* Third-party software using the GSS-API library from MIT krb5
  releases krb5-1.5 and later

* MIT releases prior to krb5-1.5 did not contain the vulnerable code.

[CVE-2009-0847]

* The kinit program and the KDC from MIT krb5 release krb5-1.6.3.
  Prior releases contained the vulnerable code, but the vulnerability
  was masked due to operations performed by other code.

FIXES
=====

* The upcoming krb5-1.7 and krb5-1.6.4 releases will contain fixes for
  these vulnerabilities.

* Apply the patch, available at

  http://web.mit.edu/kerberos/advisories/2009-001-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2009-001-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-001.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2009-0844
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0844

CVE: CVE-2009-0845
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0845

CVE: CVE-2009-0847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0847

CERT: VU#662091
http://www.kb.cert.org/vuls/id/662091

http://krbdev.mit.edu/rt/Ticket/Display.html?id=6402

ACKNOWLEDGMENTS
===============

CVE-2009-0844 was discovered by Product Security at Apple, Inc.  We
thank Apple and Sun for suggesting improvements to the patches.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@xxxxxxx>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/D9058C24 2009-01-26 [expires: 2010-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security@xxxxxxx>

DETAILS
=======

[CVE-2009-0844]

The get_input_token() function in the SPNEGO implementation can read
beyond the end of a network input buffer.  A length encoding that
decodes to a value exceeding the number of remaining bytes in the
input buffer will cause the function to copy memory past the end of
the input buffer.

[CVE-2009-0845]

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score:      7.8

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: None
Integrity Impact:       None
Availability Impact:    Complete

CVSSv2 Temporal Score:  6.1

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

The spnego_gss_accept_sec_context() function in the GSS-API SPNEGO
implementation can dereference a null pointer under error conditions.
Cleanup code in this function can call the helper function
make_spnego_tokenTarg_msg() without first confirming that the value of
the "sc" variable is not null, thus causing a null pointer
dereference.

[CVE-2009-0847]

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score:      7.8

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: None
Integrity Impact:       None
Availability Impact:    Complete

CVSSv2 Temporal Score:  6.1

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

The asn1buf_imbed() function incorrectly checks lengths by comparing
pointers after performing pointer arithmetic using an unchecked input
length.  In addition, the functions asn1buf_remove_charstring() and
asn1buf_remove_octetstring() rely on an invariant that is violated
when asn1buf_imbed() incorrectly validates lengths, performing pointer
arithmetic using the invalid length.  Consequently, malloc() receives
a very large number as its argument.  If the malloc() call somehow
succeeds, the copy from the input buffer is likely to cross unmapped
address space, causing a crash.

Prior to the implementation of PK-INIT, the vulnerability was masked
because no ASN.1 decoder used asn1buf_remove_charstring() or
asn1buf_remove_octetstring() immediately following the use of
asn1buf_imbed().  Protocol elements of PK-INIT require this sequence
of calls in the decoder, unmasking the latent vulnerability.

REVISION HISTORY
================

2009-04-07      original release

Copyright (C) 2009 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iQCVAgUBSduVZabDgE/zdoE9AQI9OgP+OymYyzsFHkUcUWjEVtiFPxKCYh6uZvIj
foqgws9Kv4/TZ44SsJJLURCBgBthm/2coWwlaxaFdDgzXxH/KUW5J9UEBy/rraNx
tLh9CFcuP/uG12N9+Hp9BmlO8euu60cMKRlhAKUuOLTLj74RPMYIID6TE4VgE0g8
UKIvMyadl2I=
=OU63
-----END PGP SIGNATURE-----