Bug 29260 - krb5 new security issues CVE-2021-36222 and CVE-2021-37750
Summary: krb5 new security issues CVE-2021-36222 and CVE-2021-37750
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Guillaume Rousse
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-14 16:46 CEST by David Walser
Modified: 2021-08-21 18:31 CEST (History)
4 users (show)

See Also:
Source RPM: krb5-1.19.1-1.mga9.src.rpm
CVE:
Status comment: Patch available from Fedora


Attachments

Description David Walser 2021-07-14 16:46:43 CEST
Fedora has issued an advisory today (July 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CCCYLGJLCVVNJVOQKUGKXR2SNQIPFBFS/

Mageia 8 is also affected.
David Walser 2021-07-14 16:46:56 CEST

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA8TOO

Comment 1 Dave Hodgins 2021-07-14 19:44:00 CEST
Also, krlogin on mga8 does not appear to function. It was working on mga7.
https://bugs.mageia.org/show_bug.cgi?id=28460#c8

CC: (none) => davidwhodgins

Comment 2 Nicolas Lécureuil 2021-07-16 00:23:02 CEST
Fixed in cauldron and mga8

src:
     - krb5-1.18.3-1.1.mga8

Whiteboard: MGA8TOO => (none)
Assignee: guillomovitch => qa-bugs
CC: (none) => mageia
Version: Cauldron => 8

Comment 3 David Walser 2021-07-16 01:44:55 CEST
krb5-1.18.3-1.1.mga8
krb5-workstation-1.18.3-1.1.mga8
libkrb53-1.18.3-1.1.mga8
krb5-server-1.18.3-1.1.mga8
libkrb53-devel-1.18.3-1.1.mga8
krb5-server-ldap-1.18.3-1.1.mga8
krb5-pkinit-1.18.3-1.1.mga8

from krb5-1.18.3-1.1.mga8.src.rpm

Status comment: Patch available from Fedora => (none)

Comment 4 Dave Hodgins 2021-07-16 02:47:17 CEST
Used the procedure at https://wiki.mageia.org/en/QA_procedure:Krb5
to install krb5 and set it up with the above packages in qarepo.

I also made sure krb5kdc.service and kadmin.service were enabled and running.

It installs and sets up cleanly, however the failure of krlogin to function
noted in comment 1 is still present.

While this is not a regression over the prior mga8 versions, it is a regression
from Mageia 7.

We can validate it based on a clean install and no regression over the prior
version, but I'd prefer to fix what ever is causing krlogin to do nothing and
fix it, whether it's a packaging change or a change in the test procedure that's
needed.

Ideas?

Adding Guillaume back to the cc list as the registered maintainer for krb5.

CC: (none) => guillomovitch

Comment 5 Aurelien Oudelet 2021-07-19 22:44:47 CEST
Advisory:
========================

Updated krb5 packages fix security vulnerability:

In MIT krb5 releases 1.16 and later prior to 1.19.2, an unauthenticated attacker can cause a null dereference in the KDC by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST (CVE-2021-36222).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29260
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36222
 - https://vulmon.com/vulnerabilitydetails?qid=CVE-2021-36222
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CCCYLGJLCVVNJVOQKUGKXR2SNQIPFBFS/
========================

Updated packages in core/updates_testing:
========================
krb5-1.18.3-1.1.mga8
krb5-pkinit-1.18.3-1.1.mga8
krb5-server-1.18.3-1.1.mga8
krb5-server-ldap-1.18.3-1.1.mga8
krb5-workstation-1.18.3-1.1.mga8
lib(64)krb53-1.18.3-1.1.mga8
lib(64)krb53-devel-1.18.3-1.1.mga8

from SRPM:
krb5-1.18.3-1.1.mga8.src.rpm

CC: (none) => ouaurelien

Comment 6 Dave Hodgins 2021-07-20 01:40:49 CEST
If comment 5 is indicating the packages have been rebuilt, the release needs
to be bumped to get the replaced testing versions to propagate to the mirrors.

As is, no change from comment 4 as krlogin appears to be a no-op.
Comment 7 David Walser 2021-07-20 02:06:31 CEST
No, Comment 5 was just an advisory.  There hasn't been a response from Guillaume yet.
Comment 8 David Walser 2021-07-21 17:22:05 CEST
Fedora has issued an advisory for 1.18.x today (July 21):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FXO2RMANKAFCHYZB2DUHXIYIHVD26JDB/
Comment 9 Dave Hodgins 2021-07-22 20:53:21 CEST
Adding the feedback tag as per comment 6 and comment 4

Keywords: (none) => feedback

Comment 10 David Walser 2021-08-10 16:20:05 CEST
I recommend filing a new bug for the krlogin issue and validating this.
Comment 11 Dave Hodgins 2021-08-10 21:01:52 CEST
Why. If you can't login to the key distribution center no kerberos based
applications can work. For example telnet (after setting it up just like in m7
where it works)  ...
$ telnet x8t.hodgins.homeip.net
Trying 192.168.10.14...
Connected to x8t.hodgins.homeip.net (192.168.10.14).
Escape character is '^]'.
Unencrypted connection refused. Goodbye.

Connection closed by foreign host.

A KDC null deref is a denial of service that the update is  supposed to fix.
With the key distribution center not working, there is no service to deny, and
the update does nothing. Without a fix, the package should be dropped from
cauldron.
Comment 12 David Walser 2021-08-10 21:11:55 CEST
Well, we can't drop the package because krb5 is more than a KDC, it's also the Kerberos 5 library which is used by a ton of packages.  Since the vulnerability itself seems to just affect the server part and not the library, then you have a valid point on the update not being as important.  Perhaps Guillaume knows some way to make it work.
Comment 13 Dave Hodgins 2021-08-10 22:59:51 CEST
Regarding comment 11, that's after a non-working krlogin ...

[dave@x3 ~]$ kinit
Password for dave@X8T.HODGINS.HOMEIP.NET: 
[dave@x3 ~]$ krlogin x8t.hodgins.homeip.net
[dave@x3 ~]$ telnet x8t.hodgins.homeip.net
Trying 192.168.10.14...
Connected to x8t.hodgins.homeip.net (192.168.10.14).
Escape character is '^]'.
Unencrypted connection refused. Goodbye.

Connection closed by foreign host.

Regarding comment 12. Perhaps the package could be altered to only generate
the lib packages, not the krb5-... packages in future.
Comment 14 Dave Hodgins 2021-08-10 23:39:38 CEST
Forgot to show the kinit ...

[dave@x3 ~]$ klist
klist: No credentials cache found (filename: /tmp/krb5cc_500)
[dave@x3 ~]$ kinit
Password for dave@X8T.HODGINS.HOMEIP.NET: 
[dave@x3 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: dave@X8T.HODGINS.HOMEIP.NET

Valid starting       Expires              Service principal
2021-08-10 17:37:31  2021-08-11 17:37:31  krbtgt/X8T.HODGINS.HOMEIP.NET@X8T.HODGINS.HOMEIP.NET
        renew until 2021-08-10 17:37:31
[dave@x3 ~]$ krlogin x8t.hodgins.homeip.net
[dave@x3 ~]$ telnet x8t.hodgins.homeip.net
Trying 192.168.10.14...
Connected to x8t.hodgins.homeip.net (192.168.10.14).
Escape character is '^]'.
Unencrypted connection refused. Goodbye.

Connection closed by foreign host.
Comment 15 David Walser 2021-08-21 18:31:28 CEST
Fedora has issued an advisory today (August 21):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/P7AFEQGFR3FNSR2E7F6TUACWHAX2J4PQ/

Status comment: (none) => Patch available from Fedora
Assignee: qa-bugs => guillomovitch
Version: 8 => Cauldron
Whiteboard: (none) => MGA8TOO
Keywords: feedback => (none)
Summary: krb5 new security issue CVE-2021-36222 => krb5 new security issues CVE-2021-36222 and CVE-2021-37750


Note You need to log in before you can comment on or make changes to this bug.