William A. Kennington III | 49e9566 | 2021-09-15 16:19:36 -0700 | [diff] [blame] | 1 | From b3999be7ab59a5af4b2f1042ce0d6b03ecb17d4e Mon Sep 17 00:00:00 2001 |
| 2 | From: Greg Hudson <ghudson@mit.edu> |
| 3 | Date: Tue, 3 Aug 2021 01:15:27 -0400 |
| 4 | Subject: [PATCH] Fix KDC null deref on TGS inner body null server |
| 5 | |
| 6 | After the KDC decodes a FAST inner body, it does not check for a null |
| 7 | server. Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this |
| 8 | would typically result in an error from krb5_unparse_name(), but with |
| 9 | the addition of get_local_tgt() it results in a null dereference. Add |
| 10 | a null check. |
| 11 | |
| 12 | Reported by Joseph Sutton of Catalyst. |
| 13 | |
| 14 | CVE-2021-37750: |
| 15 | |
| 16 | In MIT krb5 releases 1.14 and later, an authenticated attacker can |
| 17 | cause a null dereference in the KDC by sending a FAST TGS request with |
| 18 | no server field. |
| 19 | |
| 20 | ticket: 9008 (new) |
| 21 | tags: pullup |
| 22 | target_version: 1.19-next |
| 23 | target_version: 1.18-next |
| 24 | |
| 25 | CVE: CVE-2021-37750 |
| 26 | |
| 27 | Upstream-Status: Backport |
| 28 | [https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49] |
| 29 | |
| 30 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
| 31 | --- |
| 32 | src/kdc/do_tgs_req.c | 5 +++++ |
| 33 | 1 file changed, 5 insertions(+) |
| 34 | |
| 35 | diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c |
| 36 | index 587342a..622b48f 100644 |
| 37 | --- a/src/kdc/do_tgs_req.c |
| 38 | +++ b/src/kdc/do_tgs_req.c |
| 39 | @@ -201,6 +201,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, |
| 40 | status = "FIND_FAST"; |
| 41 | goto cleanup; |
| 42 | } |
| 43 | + if (sprinc == NULL) { |
| 44 | + status = "NULL_SERVER"; |
| 45 | + errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; |
| 46 | + goto cleanup; |
| 47 | + } |
| 48 | |
| 49 | errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server, |
| 50 | &local_tgt, &local_tgt_storage); |
| 51 | -- |
| 52 | 2.17.1 |
| 53 | |