Bug 21369

Summary: krb5 new security issue CVE-2017-11368
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, herman.viaene, lewyssmith, sysadmin-bugs
Version: 6Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: has_procedure MGA5TOO advisory MGA5-64-OK MGA5-32-OK MGA6-64-OK MGA6-32-OK
Source RPM: krb5-1.15.1-2.mga6.src.rpm CVE:
Status comment:
Attachments: Updated kerberos setup script for qa testing

Description David Walser 2017-07-27 02:43:40 CEST 
Fedora has issued an advisory on July 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4HNWXM6OQU7G23MG7XWIOBRGP43ECLDT/

The RedHat bug for this is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1473560

Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron.

Advisory:
========================

Updated krb5 packages fix security vulnerability:

A denial of service flaw was found in MIT Kerberos krb5kdc service. An
authenticated attacker could use this flaw to cause krb5kdc to exit with an
assertion failure by making an invalid S4U2Self or S4U2Proxy request
(CVE-2017-11368).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11368
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4HNWXM6OQU7G23MG7XWIOBRGP43ECLDT/
========================

Updated packages in core/updates_testing:
========================
krb5-1.12.5-1.2.mga5
libkrb53-devel-1.12.5-1.2.mga5
libkrb53-1.12.5-1.2.mga5
krb5-server-1.12.5-1.2.mga5
krb5-server-ldap-1.12.5-1.2.mga5
krb5-workstation-1.12.5-1.2.mga5
krb5-pkinit-openssl-1.12.5-1.2.mga5
krb5-1.15.1-2.1.mga6
libkrb53-devel-1.15.1-2.1.mga6
libkrb53-1.15.1-2.1.mga6
krb5-server-1.15.1-2.1.mga6
krb5-server-ldap-1.15.1-2.1.mga6
krb5-workstation-1.15.1-2.1.mga6
krb5-pkinit-openssl-1.15.1-2.1.mga6

from SRPMS:
krb5-1.12.5-1.2.mga5.src.rpm
krb5-1.15.1-2.1.mga6.src.rpm
Comment 1 David Walser 2017-07-27 02:44:01 CEST 
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Krb5

Whiteboard: (none) => has_procedure

Lewis Smith 2017-08-09 09:25:13 CEST

CC: (none) => lewyssmith
Whiteboard: has_procedure => has_procedure MGA5TOO advisory

Comment 2 Herman Viaene 2017-08-09 14:10:23 CEST 
MGA6-32 on Asus A6000VM MATE
No installation issues.
I run into problems with the procedure at least partly due to the fact that I definitely refuse to do sudo
So I tried as root:
# /home/tester6/bin/krb5_server_setup.sh tester6
Checking dns setup for mach6.hviaene.thuis
Good. Forward and reverse dsn settings for mach6.hviaene.thuis match
The realm name will be set to MACH6.HVIAENE.THUIS
Use of uninitialized value in null operation at /usr/lib/perl5/vendor_perl/5.22.2/i386-linux-thread-multi/URPM/Resolve.pm line 1847.
Om aan de afhankelijkheden te voldoen worden de volgende pakketten geïnstalleerd:
  Pakket                         Versie       Uitgave       Arch    
(medium "Core Release (distrib1)")
  krb5-appl-servers              1.0.3        8.mga6        i586    
  xinetd                         2.3.15       9.mga6        i586    
698KB aan extra schijfruimte zal worden gebruikt.
274KB aan pakketten zal worden opgehaald.
Verdergaan met de installatie van de 2 pakketten? (J/n) j


    $MIRRORLIST: media/core/release/xinetd-2.3.15-9.mga6.i586.rpm
    $MIRRORLIST: media/core/release/krb5-appl-servers-1.0.3-8.mga6.i586.rpm                                             
installeren van krb5-appl-servers-1.0.3-8.mga6.i586.rpm xinetd-2.3.15-9.mga6.i586.rpm vanaf /var/cache/urpmi/rpms       
Voorbereiden...                  ######################################################################################
      1/2: xinetd                ######################################################################################
      2/2: krb5-appl-servers     ######################################################################################
Setting realm name in /usr/lib/tmpfiles.d/krb5kdc.conf
/var/lib/krb5kdc/kdc.conf
Setting realm and host names in /etc/krb5.conf
Setting realm name in /var/lib/krb5kdc/kadm5.acl
Creating database in /var/lib/krb5kdc/principal
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'MACH6.HVIAENE.THUIS',
master key name 'K/M@MACH6.HVIAENE.THUIS'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 
kadmin.local: unable to get default realm
kadmin.local: unable to get default realm
kadmin.local: unable to get default realm
kadmin.local: unable to get default realm
kadmin.local: unable to get default realm
kadmin.local: unable to get default realm
Redirecting to /bin/systemctl start krb5kdc.service
Job for krb5kdc.service failed because the control process exited with error code.
See "systemctl status krb5kdc.service" and "journalctl -xe" for details.
Opmerking: Verzoek wordt doorgestuurd naar 'systemctl enable krb5kdc.service'.
Opmerking: Verzoek wordt doorgestuurd naar 'systemctl enable kadmin.service'.
Copy /etc/krb5.conf to any client stations, and install krb5-appl-clients on them
[root@mach6 ~]# systemctl status krb5kdc.service
● krb5kdc.service - Kerberos 5 KDC
   Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since wo 2017-08-09 13:54:16 CEST; 1min 16s ago

aug 09 13:54:16 mach6.hviaene.thuis systemd[1]: Starting Kerberos 5 KDC...
aug 09 13:54:16 mach6.hviaene.thuis krb5kdc[9113]: krb5kdc: Configuration file does not specify default realm, attempting
aug 09 13:54:16 mach6.hviaene.thuis systemd[1]: krb5kdc.service: Control process exited, code=exited status=1
aug 09 13:54:16 mach6.hviaene.thuis systemd[1]: Failed to start Kerberos 5 KDC.
aug 09 13:54:16 mach6.hviaene.thuis systemd[1]: krb5kdc.service: Unit entered failed state.
aug 09 13:54:16 mach6.hviaene.thuis systemd[1]: krb5kdc.service: Failed with result 'exit-code'.

Turned out that the realm settings were in the conf file but all commented out, so I removed the "#"'s and went on
# systemctl start krb5kdc.service
is OK now
edited /etc/xinetd.d/eklogin
and 
# systemctl restart xinetd.service
also OK
but
$ kinit
kinit: Unknown credential cache type while getting default ccache

CC: (none) => herman.viaene

Comment 3 Dave Hodgins 2017-08-11 23:13:15 CEST 
Seems that in Mageia 6, /etc/krb5.conf in the package has changed so that the
lines with example.com, or EXAMPLE.COM, which the script changes to the realm
based on the host name, are commented out.

I'll change the script to handle it, and then attach it to this bug report.

CC: (none) => davidwhodgins

Comment 4 Dave Hodgins 2017-08-12 01:01:37 CEST 
Created attachment 9586 [details]
Updated kerberos setup script for qa testing
Comment 5 Dave Hodgins 2017-08-12 07:02:14 CEST 
Modified the wiki page to have the above attachment number.

Tested both arches on both releases with results similar to ...
[dave@i5v ~]$ kinit
Password for dave@I5V.HODGINS.HOMEIP.NET: 
[dave@i5v ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: dave@I5V.HODGINS.HOMEIP.NET

Valid starting     Expires            Service principal
12/08/17 00:59:22  13/08/17 00:59:22  krbtgt/I5V.HODGINS.HOMEIP.NET@I5V.HODGINS.HOMEIP.NET

Validating the update.

CC: (none) => sysadmin-bugs
Whiteboard: has_procedure MGA5TOO advisory => has_procedure MGA5TOO advisory MGA5-64-OK MGA5-32-OK MGA6-64-OK MGA6-32-OK
Keywords: (none) => validated_update

Comment 6 Mageia Robot 2017-08-12 12:13:38 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0256.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED