Bug 21628 - krb5 new security issue CVE-2017-7562, CVE-2017-11462, and CVE-2017-15088
Summary: krb5 new security issue CVE-2017-7562, CVE-2017-11462, and CVE-2017-15088
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64...
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2017-08-29 02:43 CEST by David Walser
Modified: 2017-11-20 22:18 CET (History)
5 users (show)

See Also:
Source RPM: krb5-1.15.1-2.1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-08-29 02:43:53 CEST
Fedora has issued an advisory today (August 28):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2XIPFDWKYB3HQKSWLVJ6AAPFEG6BEPE3/

It corresponds to this upstream pull request which has a CVE noted on it:
https://github.com/krb5/krb5/pull/694

Patch committed in Mageia 6 and Cauldron SVN.
Comment 1 Marja Van Waes 2017-08-29 23:58:58 CEST
(In reply to David Walser from comment #0)

> 
> Patch committed in Mageia 6 and Cauldron SVN.

Thx :-)

Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => guillomovitch

Comment 2 David Walser 2017-09-11 00:58:03 CEST
Fedora has issued an advisory on September 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2FPRUP4YVOEBGEROUYWZFEQ64HTMGNED/

This is another minor issue, but it also affects Mageia 5.  I've checked the patch into Mageia 6 and Cauldron SVN.  The patch needs a minor rediff adjustment for Mageia 5.

Whiteboard: (none) => MGA5TOO
Summary: krb5 new security issue CVE-2017-7562 => krb5 new security issue CVE-2017-7562 and CVE-2017-11462

Comment 3 David Walser 2017-10-12 23:15:10 CEST
openSUSE has issued an advisory for CVE-2017-11462 today (October 12):
https://lists.opensuse.org/opensuse-updates/2017-10/msg00041.html

They patched the same version we have in Mageia 5.
Comment 4 David Walser 2017-11-08 23:24:10 CET
SUSE has issued an advisory today (November 8):
https://lists.opensuse.org/opensuse-security-announce/2017-11/msg00011.html

They fixed a new issue, CVE-2017-15088.

The RedHat bug has a link to the upstream commit that fixed the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1504045

Severity: normal => major
Summary: krb5 new security issue CVE-2017-7562 and CVE-2017-11462 => krb5 new security issue CVE-2017-7562, CVE-2017-11462, and CVE-2017-15088

Comment 5 David Walser 2017-11-11 01:16:55 CET
(In reply to David Walser from comment #4)
> SUSE has issued an advisory today (November 8):
> https://lists.opensuse.org/opensuse-security-announce/2017-11/msg00011.html
> 
> They fixed a new issue, CVE-2017-15088.
> 
> The RedHat bug has a link to the upstream commit that fixed the issue:
> https://bugzilla.redhat.com/show_bug.cgi?id=1504045

openSUSE has issued an advisory for this today (November 10):
https://lists.opensuse.org/opensuse-updates/2017-11/msg00039.html
Comment 6 Guillaume Rousse 2017-11-11 16:39:47 CET
krb5-1.15.1-2.2.mga6 submitted in update_testing for mageia 6, fixing CVE-2017-7562, CVE-2017-11462 and CVE-2017-15088.

krb5-1.12.5-1.3.mga5 submitted in update_testing for mageia 5, fixing CVE-2017-11462 and CVE-2017-15088 only, as CVE-2017-7562 doesn't apply.
Comment 7 David Walser 2017-11-12 17:51:03 CET
Thanks Guillaume!

Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Krb5

Advisory:
========================

Updated krb5 packages fix security vulnerabilities:

An authentication bypass flaw was found in the way krb5's certauth interface
handled the validation of client certificates. A remote attacker able to
communicate with the KDC could potentially use this flaw to impersonate
arbitrary principals under rare and erroneous circumstances (CVE-2017-7562).

RFC 2744 permits a GSS-API implementation to delete an existing security
context on a second or subsequent call to gss_init_sec_context() or
gss_accept_sec_context() if the call results in an error.  This API behavior
has been found to be dangerous, leading to the possibility of memory errors in
some callers.  For safety, GSS-API implementations should instead preserve
existing security contexts on error until the caller deletes them
(CVE-2017-11462).

A buffer overflow vulnerability was found in get_matching_data() function when
both the CA cert and the user cert have a long subject affecting krb5 that
includes certauth plugin. Attack requires a validated certificate with a long
subject and issuer, and a "pkinit_cert_match" string attribute on some
principal in the database. A remote code execution exploit might also require
that the attacker gets to choose the contents of the issuer in the validated
cert (CVE-2017-15088).

Note that the CVE-2017-7562 issue only affected Mageia 6.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7562
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11462
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2XIPFDWKYB3HQKSWLVJ6AAPFEG6BEPE3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2FPRUP4YVOEBGEROUYWZFEQ64HTMGNED/
https://lists.opensuse.org/opensuse-updates/2017-11/msg00039.html
========================

Updated packages in core/updates_testing:
========================
krb5-1.12.5-1.3.mga5
libkrb53-devel-1.12.5-1.3.mga5
libkrb53-1.12.5-1.3.mga5
krb5-server-1.12.5-1.3.mga5
krb5-server-ldap-1.12.5-1.3.mga5
krb5-workstation-1.12.5-1.3.mga5
krb5-pkinit-openssl-1.12.5-1.3.mga5
krb5-1.15.1-2.2.mga6
libkrb53-devel-1.15.1-2.2.mga6
libkrb53-1.15.1-2.2.mga6
krb5-server-1.15.1-2.2.mga6
krb5-server-ldap-1.15.1-2.2.mga6
krb5-workstation-1.15.1-2.2.mga6
krb5-pkinit-openssl-1.15.1-2.2.mga6

from SRPMS:
krb5-1.12.5-1.3.mga5.src.rpm
krb5-1.15.1-2.2.mga6.src.rpm

Assignee: guillomovitch => qa-bugs
CC: (none) => guillomovitch
Keywords: (none) => has_procedure

Comment 8 Herman Viaene 2017-11-14 14:04:31 CET
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Followed procedure given above:
but I installed krb5_server_setup.sh in /bin
# krb5_server_setup.sh 
works OK,no problems encountered
then
# systemctl start krb5kdc.service
# systemctl -l status krb5kdc.service
â krb5kdc.service - Kerberos 5 KDC
   Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled)
   Active: active (running) since di 2017-11-14 12:13:10 CET; 1min 42s ago
 Main PID: 13080 (krb5kdc)
   CGroup: /system.slice/krb5kdc.service
           ââ13080 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
# systemctl restart xinetd.service
[root@mach6 bin]# systemctl -l status xinetd.service
â xinetd.service - Xinetd A Powerful Replacement For Inetd
   Loaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled)
   Active: active (running) since di 2017-11-14 12:15:16 CET; 14s ago
  Process: 13270 ExecStart=/usr/sbin/xinetd -stayalive -pidfile /run/xinetd.pid $EXTRAOPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 13272 (xinetd)
   CGroup: /system.slice/xinetd.service
           ââ13272 /usr/sbin/xinetd -stayalive -pidfile /run/xinetd.pid

nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: removing cvspserver
nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: removing eklogin
nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: removing telnet
nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: removing ftp
nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: removing klogin
nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: removing telnet
nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: removing kshell
nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: removing ssh
nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: xinetd Version 2.3.15 started with libwrap options compiled in.
nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: Started working: 0 available services
but then, continuing as root:
# kinit
Password for root@XXXX.YYYYY.ZZZZ: 
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@XXXX.YYYY.ZZZZ

Valid starting     Expires            Service principal
14-11-17 12:16:07  15-11-17 12:16:07  krbtgt/XXXX.YYYY.ZZZZ@XXXX.YYYY.ZZZZ
both seem OK, 
# krlogin $(hostname) 
This rlogin session is encrypting all data transmissions.
You have new mail.
Seems OK

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Lewis Smith 2017-11-19 11:31:22 CET

Keywords: (none) => advisory

Comment 9 Dave Hodgins 2017-11-20 15:12:17 CET
Set up kerberos on both releases, both arches, confirmed working, installed the updates and rebooted, and confirmed still working on both arches, both releases.

Validating the update.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK MGA6-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 10 Mageia Robot 2017-11-20 22:18:52 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0420.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.