From d14638ed2050b0575e19c7d2c2fac003b11cb019 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 20 Jul 2021 14:49:52 -0400 Subject: [PATCH] Fix KDC null deref on bad encrypted challenge (CVE-2021-36222) Resolves: #1983733 --- ...ull-deref-on-bad-encrypted-challenge.patch | 114 ++++++++++++++++++ krb5.spec | 7 +- 2 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 Fix-KDC-null-deref-on-bad-encrypted-challenge.patch diff --git a/Fix-KDC-null-deref-on-bad-encrypted-challenge.patch b/Fix-KDC-null-deref-on-bad-encrypted-challenge.patch new file mode 100644 index 0000000..38677b4 --- /dev/null +++ b/Fix-KDC-null-deref-on-bad-encrypted-challenge.patch @@ -0,0 +1,114 @@ +From 3fe94b5854c56da38ba14994b6c371c3e3b9094e Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 7 Jul 2021 11:47:44 +1200 +Subject: [PATCH] Fix KDC null deref on bad encrypted challenge + +The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check +to avoid further processing if the armor key is NULL. However, this +check is bypassed by a call to k5memdup0() which overwrites retval +with 0 if the allocation succeeds. If the armor key is NULL, a call +to krb5_c_fx_cf2_simple() will then dereference it, resulting in a +crash. Add a check before the k5memdup0() call to avoid overwriting +retval. + +CVE-2021-36222: + +In MIT krb5 releases 1.16 and later, an unauthenticated attacker can +cause a null dereference in the KDC by sending a request containing a +PA-ENCRYPTED-CHALLENGE padata element without using FAST. + +[ghudson@mit.edu: trimmed patch; added test case; edited commit +message] + +ticket: 9007 (new) +tags: pullup +target_version: 1.19-next +target_version: 1.18-next + +(cherry picked from commit fc98f520caefff2e5ee9a0026fdf5109944b3562) +(cherry picked from commit 791211b00a53b394376d096c881b725ee739a936) +--- + src/kdc/kdc_preauth_ec.c | 3 ++- + src/tests/Makefile.in | 1 + + src/tests/t_cve-2021-36222.py | 46 +++++++++++++++++++++++++++++++++++ + 3 files changed, 49 insertions(+), 1 deletion(-) + create mode 100644 src/tests/t_cve-2021-36222.py + +diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c +index 7e636b3f9..43a9902cc 100644 +--- a/src/kdc/kdc_preauth_ec.c ++++ b/src/kdc/kdc_preauth_ec.c +@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, + } + + /* Check for a configured FAST ec auth indicator. */ +- realmstr = k5memdup0(realm.data, realm.length, &retval); ++ if (retval == 0) ++ realmstr = k5memdup0(realm.data, realm.length, &retval); + if (realmstr != NULL) + retval = profile_get_string(context->profile, KRB5_CONF_REALMS, + realmstr, +diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in +index ab416cc5f..20f27d748 100644 +--- a/src/tests/Makefile.in ++++ b/src/tests/Makefile.in +@@ -159,6 +159,7 @@ check-pytests: unlockiter s4u2self + $(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS) ++ $(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS) + $(RM) au.log + $(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \ +diff --git a/src/tests/t_cve-2021-36222.py b/src/tests/t_cve-2021-36222.py +new file mode 100644 +index 000000000..57e04993b +--- /dev/null ++++ b/src/tests/t_cve-2021-36222.py +@@ -0,0 +1,46 @@ ++import socket ++from k5test import * ++ ++realm = K5Realm() ++ ++# CVE-2021-36222 KDC null dereference on encrypted challenge preauth ++# without FAST ++ ++s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) ++a = (hostname, realm.portbase) ++ ++m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE ++ 'A103' '0201' '05' # [1] pvno = 5 ++ 'A203' '0201' '0A' # [2] msg-type = 10 ++ 'A30E' '300C' # [3] padata = SEQUENCE OF ++ '300A' # SEQUENCE ++ 'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE ++ 'A202' '0400' # [2] padata-value = "" ++ 'A48180' '307E' # [4] req-body = SEQUENCE ++ 'A007' '0305' '0000000000' # [0] kdc-options = 0 ++ 'A120' '301E' # [1] cname = SEQUENCE ++ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL ++ 'A117' '3015' # [1] name-string = SEQUENCE-OF ++ '1B06' '6B7262746774' # krbtgt ++ '1B0B' '4B5242544553542E434F4D' ++ # KRBTEST.COM ++ 'A20D' '1B0B' '4B5242544553542E434F4D' ++ # [2] realm = KRBTEST.COM ++ 'A320' '301E' # [3] sname = SEQUENCE ++ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL ++ 'A117' '3015' # [1] name-string = SEQUENCE-OF ++ '1B06' '6B7262746774' # krbtgt ++ '1B0B' '4B5242544553542E434F4D' ++ # KRBTEST.COM ++ 'A511' '180F' '31393934303631303036303331375A' ++ # [5] till = 19940610060317Z ++ 'A703' '0201' '00' # [7] nonce = 0 ++ 'A808' '3006' # [8] etype = SEQUENCE OF ++ '020112' '020111') # aes256-cts aes128-cts ++ ++s.sendto(bytes.fromhex(m), a) ++ ++# Make sure kinit still works. ++realm.kinit(realm.user_princ, password('user')) ++ ++success('CVE-2021-36222 regression test') diff --git a/krb5.spec b/krb5.spec index e9e00c8..177d9a4 100644 --- a/krb5.spec +++ b/krb5.spec @@ -42,7 +42,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.19.1 -Release: %{?zdpd}10%{?dist} +Release: %{?zdpd}11%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz @@ -88,6 +88,7 @@ Patch23: Move-some-dejagnu-kadmin-tests-to-Python-tests.patch Patch24: Fix-some-principal-realm-canonicalization-cases.patch Patch25: Allow-kinit-with-keytab-to-defer-canonicalization.patch Patch26: Fix-kadmin-k-with-fallback-or-referral-realm.patch +Patch27: Fix-KDC-null-deref-on-bad-encrypted-challenge.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -649,6 +650,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue Jul 20 2021 Robbie Harwood - 1.19.1-11 +- Fix KDC null deref on bad encrypted challenge (CVE-2021-36222) +- Resolves: #1983733 + * Wed Jul 14 2021 Robbie Harwood - 1.19.1-10 - Update OpenSSL 3 provider handling to clean up properly - Resolves: #1955873