Commit aa2d24fa authored by Leonardo Arena's avatar Leonardo Arena

main/heimdal: security fix (CVE-2018-16860)

Fixes #10511

Remove unused patch, clarify license
parent e5bce08f
......@@ -3,11 +3,11 @@
pkgname=heimdal
pkgver=7.5.0
_ver=${pkgver/_rc/rc}
pkgrel=3
pkgrel=4
pkgdesc="An implementation of Kerberos 5"
arch="all"
url="http://www.h5l.org/"
license="BSD"
license="BSD-3-Clause"
depends="krb5-conf"
depends_dev="openssl-dev e2fsprogs-dev db-dev"
makedepends="$depends_dev autoconf automake bash gawk libtool
......@@ -22,10 +22,13 @@ source="https://github.com/heimdal/heimdal/releases/download/heimdal-$pkgver/hei
005_all_heimdal-suid_fix.patch
heimdal_missing-include.patch
CVE-2018-16860.patch
"
builddir="$srcdir/$pkgname-$_ver"
# secfixes:
# 7.5.3-r2:
# - CVE-2018-16860
# 7.4.0-r2:
# - CVE-2017-17439
# 7.4.0-r0:
......@@ -128,4 +131,5 @@ sha512sums="6d1ad77e795df786680b5e68e2bfefee27bd0207eab507295d7af7053135de9c9ebb
4dca69bb1c1c6dfce8c0fc1da84855e4549be478ab09511fa5143ee61d1609fed7f3303179bc1e499b0f20445e04c41eda132dd1c5f72e2fea4fcf60a35ad2a9 heimdal-kdc.initd
abee8390632fa775e74900d09e5c72b02fe4f9616b43cc8d0a76175486ed6d4707fb3ce4d06ceb09b0e8d1384e037c3cff6525e11def0122c35c32eebd0d196f heimdal-kpasswdd.initd
2a6b20588a86a9ea3c35209b96ef2da0b39bc3112aec1505e69a60efc9ffb9ddc1d0dbdfaf864142e9d2f81da3d2653de56d6ffa01871c20fde17e4642625c56 005_all_heimdal-suid_fix.patch
e89efdc942c512363aac1d9797c6bf622324e9200e282bc5ed680300b9e1b39a4ea20f059cdac8f22f972eb0af0e625fd41f267ebcafcfec0aaa81192aff79c1 heimdal_missing-include.patch"
e89efdc942c512363aac1d9797c6bf622324e9200e282bc5ed680300b9e1b39a4ea20f059cdac8f22f972eb0af0e625fd41f267ebcafcfec0aaa81192aff79c1 heimdal_missing-include.patch
36738795eb3478b55790bf1927f85a421b13b6b47dcc273daeb6630c39a4e1c1258148fa0e9f004ae59a9ac89caf54cb25efedb417e852e42a2c32d02e43fd56 CVE-2018-16860.patch"
From 749d377fa357351a7bbba51f8aae72cdf0629592 Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <viktor@twosigma.com>
Date: Tue, 5 Dec 2017 18:49:50 -0500
Subject: [PATCH] Security: Avoid NULL structure pointer member dereference
This can happen in the error path when processing malformed AS
requests with a NULL client name. Bug originally introduced on
Fri Feb 13 09:26:01 2015 +0100 in commit:
a873e21d7c06f22943a90a41dc733ae76799390d
kdc: base _kdc_fast_mk_error() on krb5_mk_error_ext()
Original patch by Jeffrey Altman <jaltman@secure-endpoints.com>
(cherry picked from commit 1a6a6e462dc2ac6111f9e02c6852ddec4849b887)
---
kdc/kerberos5.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 95a74927f7..675b406b82 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2226,15 +2226,17 @@ _kdc_as_rep(kdc_request_t r,
/*
* In case of a non proxy error, build an error message.
*/
- if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) {
+ if (ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) {
ret = _kdc_fast_mk_error(context, r,
&error_method,
r->armor_crypto,
&req->req_body,
ret, r->e_text,
r->server_princ,
- &r->client_princ->name,
- &r->client_princ->realm,
+ r->client_princ ?
+ &r->client_princ->name : NULL,
+ r->client_princ ?
+ &r->client_princ->realm : NULL,
NULL, NULL,
reply);
if (ret)
From c6257cc2c842c0faaeb4ef34e33890ee88c4cbba Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 14 May 2019 09:03:18 -0400
Subject: [PATCH] CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed
checksum
S4U2Self is an extension to Kerberos used in Active Directory to allow
a service to request a kerberos ticket to itself from the Kerberos Key
Distribution Center (KDC) for a non-Kerberos authenticated user
(principal in Kerboros parlance). This is useful to allow internal
code paths to be standardized around Kerberos.
S4U2Proxy (constrained-delegation) is an extension of this mechanism
allowing this impersonation to a second service over the network. It
allows a privileged server that obtained a S4U2Self ticket to itself
to then assert the identity of that principal to a second service and
present itself as that principal to get services from the second
service.
There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal
KDC checks the checksum that is placed on the S4U2Self packet by the
server to protect the requested principal against modification, it
does not confirm that the checksum algorithm that protects the user
name (principal) in the request is keyed. This allows a
man-in-the-middle attacker who can intercept the request to the KDC to
modify the packet by replacing the user name (principal) in the
request with any desired user name (principal) that exists in the KDC
and replace the checksum protecting that name with a CRC32 checksum
(which requires no prior knowledge to compute).
This would allow a S4U2Self ticket requested on behalf of user name
(principal) user@EXAMPLE.COM to any service to be changed to a
S4U2Self ticket with a user name (principal) of
Administrator@EXAMPLE.COM. This ticket would then contain the PAC of
the modified user name (principal).
==================
CVSSv3 calculation
==================
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)
=========================
Workaround and Mitigation
=========================
If server does not take privileged actions based on Kerberos tickets
obtained by S4U2Self nor obtains Kerberos tickets via further
S4U2Proxy requests then this issue cannot be exploited.
Note that the path to an exploit is not generic, the KDC is not harmed
by the malicious checksum, it is the client service requesting the
ticket being mislead, because it trusted the KDC to return the correct
ticket and PAC.
It is out of scope for Samba to describe all of the possible tool
chains that might be vulnerable. Here are two examples of possible
exploits in order to explain the issue more clearly.
1). SFU2Self might be used by a web service authenticating an end user
via OAuth, Shibboleth, or other protocols to obtain a S4U2Self
Kerberos service ticket for use by any Kerberos service principal the
web service has a keytab for. One example is acquiring an AFS token
by requesting an afs/cell@REALM service ticket for a client via
SFU2Self. With this exploit an organization that deploys a KDC built
from Heimdal (be it Heimdal directly or vendor versions such as found
in Samba) is vulnerable to privilege escalation attacks.
2). If a server authenticates users using X509 certificates, and then
uses S4U2Self to obtain a Kerberos service ticket on behalf of the
user (principal) in order to authorize access to local resources, a
man-in-the-middle attacker could allow a non-privilaged user to access
privilaged resources being protected by the server, or privilaged
resources being protected by a second server, if the first server uses
the S4U2Proxy extension in order to get a new Kerberos service ticket
to obtain access to the second server.
In both these scenarios under conditions allowing man-in-the-middle
active network protocol manipulation, a malicious user could
authenticate using the non-Kerborized credentials of an unprivileged
user, and then elevate its privileges by intercepting the packet from
the server to the KDC and changing the requested user name (principal).
The only Samba clients that use S4U2Self are:
- the "net ads kerberos pac dump" (debugging) tool.
- the CIFS proxy in the deprecated/developer-only NTVFS file
server. Note this code is not compiled or enabled by default.
In particular, winbindd does *not* use S4U2Self.
Finally, MIT Kerberos and so therefore the experimental MIT KDC backend
for Samba AD is understood not to be impacted.
===============
Further Reading
===============
There is more detail on and a description of the protocols in
[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained
Delegation Protocol
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/
=======
Credits
=======
Originally reported by Isaac Boukris and Andrew Bartlett of the Samba
Team and Catalyst.
Patches provided by Isaac Boukris.
Advisory written by Andrew Bartlett of the Samba Team and Catalyst,
with contributions from Isaac Boukris, Jeffrey Altman and Jeremy
Allison.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685
Change-Id: I4ac69ebf0503eb999a7d497a2c30fe4d293a8cc8
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
Signed-off-by: Jeffrey Altman <jaltman@auristor.com>
---
kdc/krb5tgs.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 8318bc0025..14943077a4 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -2031,6 +2031,13 @@ tgs_build_reply(krb5_context context,
goto out;
}
+ if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) {
+ free_PA_S4U2Self(&self);
+ kdc_log(context, config, 0, "Reject PA-S4U2Self with unkeyed checksum");
+ ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
+ goto out;
+ }
+
ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
if (ret)
goto out;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment