Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

There are bugs and then there are bugs. And then there are bugs. -- Karl Lehenbauer

devel / comp.protocols.kerberos / Re: 3 kerberos security issues

SubjectAuthor
o Re: 3 kerberos security issuesGreg Hudson

1
Re: 3 kerberos security issues

<mailman.32.1709325491.2322.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=483&group=comp.protocols.kerberos#483

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ghudson@mit.edu (Greg Hudson)
Newsgroups: comp.protocols.kerberos
Subject: Re: 3 kerberos security issues
Date: Fri, 1 Mar 2024 15:38:04 -0500
Organization: TNet Consulting
Lines: 28
Message-ID: <mailman.32.1709325491.2322.kerberos@mit.edu>
References: <20240301121305.s76fxuoesmnupbuw@castor>
<a53ee311-4d4c-48c8-ae66-f0e90de544c8@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="880"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla Thunderbird
To: Alexander Bergmann <abergmann@suse.com>, kerberos@mit.edu
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mit.edu header.i=@mit.edu
header.a=rsa-sha256 header.s=selector2 header.b=rGFunqGV;
dkim=pass (2048-bit key,
unprotected) header.d=mit.edu header.i=@mit.edu header.a=rsa-sha256
header.s=outgoing header.b=n1q2G2EL
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=ZFv0evBmX1lgago52wge7ZAoE6Sz/U3JNKQe/TkLBJ4MSyJtDz1b0CGo66Qcqx3HlKzmB+f6lhaT1aICdFXyQkQ0mcPhscC/Sy56r85TLrepG+mQQutmqH3q4xaKai5x6NPia2j1xV0Emkta4iX0tAmEeFnT7MrvTxFEFyttpKrg41tyMnb2rqn4Ew+co2bqCEB6BNWqohnA+CyNKMtvptwLdKr2S2a/PR2uJglYA+JfBVNOCt/eFwCowK9xS794+PWbJBAUIve4yq6Lg4PBMIbe4gI04bUmA4ne6MSDc1NzrSpEUkFVIBqseIqdNRQIj44BRSdEN5v/hGZDVaplXw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=QdXhIsyWvf5NfXJ4ybUds3kNAlpSTuBx713/7GCPegg=;
b=PG34b26n3bwBcoWbwCwKha2uQBbjAxm26HtK6k+Vk3PjjWuVecTc1OxCLe80oudfUn/RmzGL2EPa5wxB8fUwanCmypWAUq4h5W9e+VDtHChMVKdpzJl7y5Xc1Xif/a7+HyJR7M1/Ph4YjnJzZ2p+KempmXFBR3fLsFSURRJ070RpSRMYNBtlrGWPG4ezlw1feQ2WVidVQ6SP0kxFP1qsxcV9eUvN1GDCJJ7TNcPj/FUOAQxB8RBoXr3NCBphfU2c9xREhcs2Ln1qP/hDWqgZxiCS8PctA/ZwLoAk41joY+OQzdfqFegZ/KjYQ6wfa6ECzvIg20S/16fvrEFRmvq+Yg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
18.9.28.11) smtp.rcpttodomain=mit.edu smtp.mailfrom=mit.edu; dmarc=pass
(p=none sp=none pct=100) action=none header.from=mit.edu; dkim=pass
(signature was verified) header.d=mit.edu; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=QdXhIsyWvf5NfXJ4ybUds3kNAlpSTuBx713/7GCPegg=;
b=rGFunqGVNXRhbkSRseT1QrJgaAnsD90TtFQJ8h86kppRkiQYZ9EgEsH00fhgn1iQmckXZaBcPR4YN4BjlcG//P2xbNbpApPH/D/N/8GYWxEOJRbaqR7ueKenm67InxKW/MyrvpjfQxJkt3X8By9Zt86ZLD2vcteCMv2EBywL1yM=
Authentication-Results: spf=pass (sender IP is 18.9.28.11)
smtp.mailfrom=mit.edu; dkim=pass (signature was verified)
header.d=mit.edu;dmarc=pass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates
18.9.28.11 as permitted sender) receiver=protection.outlook.com;
client-ip=18.9.28.11; helo=outgoing.mit.edu; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
t=1709325486; bh=QdXhIsyWvf5NfXJ4ybUds3kNAlpSTuBx713/7GCPegg=;
h=Message-ID:Date:MIME-Version:Subject:From:Content-Type;
b=n1q2G2ELW+r5grGQEIsuimroKN/de8CLx2lg8MogG5tPZiPW7HBW51BwpMXevOX0h
JOwS7/JIBODXBIcvqV/1B/ivL9C3PmhIH+RU0BPzTkYnwyluoFF+HhMAAXixldZ/cN
VKzYuNCY63sYamblJpwcmWAAo3exLn0XLZkcrvvXbeyPt5um8S+Gn45htpcFIf/S4n
WcH/pVKuLDlS9IOEPovNzljeAoQ9AVIN4r1/T6kkKKLS5GxSdV8RqC+OJvwY1GavhN
QcV+P6Uj0dPXZFES1ogwM7tWRVRCGH5v8dC7RADfwkgg1/eMvGSAJMFjVXE+drS3Yx
+gD4tCJ2NocDA==
Content-Language: en-US
In-Reply-To: <20240301121305.s76fxuoesmnupbuw@castor>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BN2PEPF0000449D:EE_|SA1PR01MB6526:EE_
X-MS-Office365-Filtering-Correlation-Id: 76e7cd85-fdaf-4641-5b8e-08dc3a2f8031
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 0kRCEY2DqSA/8X8uTRNksx8AuSV+IPw5y0PQp+g538uGEyexPQgFrwwhpKZgeDpOBz+UgWNSpQOd/5gkppGjliB3rAsyQ5QURoXqfl1gNi+MLkhe3CvxfnmiNtLv46oQzGfB8zKD4WxNH4gD6zpdTcqbkb0coYm3CNin8AT2SWSg8ZH1CREK9GJZmbw5tQcEyKovdHonNlPVFB7ITaS9Ne5uN2dmdJiIwx6MyylkBWR+TjvNEU+0MHABNp59N2Vqhc88NhWpzEg7qFHLIADuACutPN9tnyTyMG73n6Bs0Tb3xro/lGO4P1fhpyQh1ppSX0VoWI3zfQQDYsd0AVv+quJ033ASagLH9pW3XAEAl3MNeytnFzrYhq7ljMT8s3UgJKj1xc6P8nBFeLbDM0Qa4Ts3OmBxDQDVxMW2DUXeb3tz+hMN05er06CRwYO/GM8NT22DK0ukuKwrXtKbRhoGpDf0LEFgaTlLZ5fylVgNl4QsglQdScmRbdHgIOdIapk2CcHH99vUGUtJiv0mMhK06Ia0yc2kQqCjrn/BOC4OUXJiFdcihj8+w5grapPzDBdWcmXpkIa2KvMoBImagW1+KBHj3/rm70GHAjWkzC2FFcOWkUZjZmOU1rgL7JBKsg+eAIxInAn6tW6i1AynT2fr6KjIRB+tCuoOpw6QVX7FUsOJ6EuIFBHfmjEJOftzPSJ9gs/DHmx8BZHyipXDDp0UE3VreXQu71V39gJ58utpY6qewRYwkkKC9BBWDpRfOO7WWaRaYl7c7U8CT7pyXxlZWA==
X-Forefront-Antispam-Report: CIP:18.9.28.11; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:CAL; SFV:NSPM; H:outgoing.mit.edu; PTR:outgoing-auth-1.mit.edu; CAT:NONE;
SFS:(13230031); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Mar 2024 20:38:06.6953 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 76e7cd85-fdaf-4641-5b8e-08dc3a2f8031
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN2PEPF0000449D.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR01MB6526
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <a53ee311-4d4c-48c8-ae66-f0e90de544c8@mit.edu>
X-Mailman-Original-References: <20240301121305.s76fxuoesmnupbuw@castor>
 by: Greg Hudson - Fri, 1 Mar 2024 20:38 UTC

On 3/1/24 07:13, Alexander Bergmann via Kerberos wrote:
> We got notified via NVD about 3 new security issues. Right now there
> seams to be no upstream reference. Could someone please comment on this?
>
> CVE-2024-26458: Memory leak at /krb5/src/lib/rpc/pmap_rmt.c
> CVE-2024-26461: Memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c
> CVE-2024-26462: Memory leak at /krb5/src/kdc/ndr.c

These CVEs appear to be the result of someone running a static analysis
tool over the MIT krb5 code base and assigning CVEs to each resulting
defect, without performing any additional impact analysis or upstream
consultation.

The pmap_rmt.c leak only affects pmap_rmtcall(), which is unused by the
rest of the krb5 code base and likely unused by anyone else.

The k5sealv3.c leak affects an encoding function, and happens on a
bounds check which likely cannot be triggered with any choice of
memory-valid API inputs. (The bounds check was itself introduced to
quash a different static analysis defect.)

The ndr.c leak also affects an encoding function, and triggers if the
input contains invalid UTF-8. This one might be triggerable by a
request (though it may require elevated privilege), but I would not have
requested a CVE for it myself.

I will fix these on the mainline, but I only expect to assign a ticket
to the third one.

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor