Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <2e452939-b858-4ce2-a820-8fcda65d2ed7@oracle.com>
Date: Fri, 28 Jun 2024 10:56:38 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Kerberos 1.21.3 fixes vulnerabilities in GSS message token handling

https://mailman.mit.edu/pipermail/kerberos-announce/2024q2/000207.html and
https://web.mit.edu/kerberos/www/krb5-1.21/ have announced the release on
Wed. June 26 of Kerberos 1.21.3 with these changes:

> * Fix vulnerabilities in GSS message token handling [CVE-2024-37370,
>   CVE-2024-37371].
> 
> * Fix a potential bad pointer free in krb5_cccol_have_contents().
> 
> * Fix a memory leak in the macOS ccache type.

https://krbdev.mit.edu/rt/Ticket/Display.html?id=9128 and
https://github.com/krb5/krb5/commit/b0a2f8a5365f2eec3e27d78907de9f9d2c80505a
give this info for the issues assigned CVEs:

> In gss_krb5int_unseal_token_v3() and gss_krb5int_unseal_v3_iov(),
> verify the Extra Count field of CFX wrap tokens against the encrypted
> header.  Reported by Jacob Champion.
> 
> In gss_krb5int_unseal_token_v3(), check for a decrypted plaintext
> length too short to contain the encrypted header and extra count
> bytes.  Reported by Jacob Champion.
> 
> In kg_unseal_iov_token(), separately track the header IOV length and
> complete token length when parsing the token's ASN.1 wrapper.  This
> fix contains modified versions of functions from k5-der.h and
> util_token.c; this duplication will be cleaned up in a future commit.
> 
> CVE-2024-37370:
> 
> In MIT krb5 release 1.3 and later, an attacker can modify the
> plaintext Extra Count field of a confidential GSS krb5 wrap token,
> causing the unwrapped token to appear truncated to the application.
> 
> CVE-2024-37371:
> 
> In MIT krb5 release 1.3 and later, an attacker can cause invalid
> memory reads by sending message tokens with invalid length fields.

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.