Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2e452939-b858-4ce2-a820-8fcda65d2ed7@oracle.com>
Date: Fri, 28 Jun 2024 10:56:38 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Kerberos 1.21.3 fixes vulnerabilities in GSS message token handling

https://mailman.mit.edu/pipermail/kerberos-announce/2024q2/000207.html and
https://web.mit.edu/kerberos/www/krb5-1.21/ have announced the release on
Wed. June 26 of Kerberos 1.21.3 with these changes:

> * Fix vulnerabilities in GSS message token handling [CVE-2024-37370,
>   CVE-2024-37371].
> 
> * Fix a potential bad pointer free in krb5_cccol_have_contents().
> 
> * Fix a memory leak in the macOS ccache type.

https://krbdev.mit.edu/rt/Ticket/Display.html?id=9128 and
https://github.com/krb5/krb5/commit/b0a2f8a5365f2eec3e27d78907de9f9d2c80505a
give this info for the issues assigned CVEs:

> In gss_krb5int_unseal_token_v3() and gss_krb5int_unseal_v3_iov(),
> verify the Extra Count field of CFX wrap tokens against the encrypted
> header.  Reported by Jacob Champion.
> 
> In gss_krb5int_unseal_token_v3(), check for a decrypted plaintext
> length too short to contain the encrypted header and extra count
> bytes.  Reported by Jacob Champion.
> 
> In kg_unseal_iov_token(), separately track the header IOV length and
> complete token length when parsing the token's ASN.1 wrapper.  This
> fix contains modified versions of functions from k5-der.h and
> util_token.c; this duplication will be cleaned up in a future commit.
> 
> CVE-2024-37370:
> 
> In MIT krb5 release 1.3 and later, an attacker can modify the
> plaintext Extra Count field of a confidential GSS krb5 wrap token,
> causing the unwrapped token to appear truncated to the application.
> 
> CVE-2024-37371:
> 
> In MIT krb5 release 1.3 and later, an attacker can cause invalid
> memory reads by sending message tokens with invalid length fields.

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.