Bug 29260 - krb5 new security issues CVE-2021-36222 and CVE-2021-37750
Summary: krb5 new security issues CVE-2021-36222 and CVE-2021-37750
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2021-07-14 16:46 CEST by David Walser
Modified: 2022-09-19 09:31 CEST (History)
6 users (show)

See Also:
Source RPM: krb5-1.19.1-1.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-07-14 16:46:43 CEST
Fedora has issued an advisory today (July 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CCCYLGJLCVVNJVOQKUGKXR2SNQIPFBFS/

Mageia 8 is also affected.
David Walser 2021-07-14 16:46:56 CEST

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA8TOO

Comment 1 Dave Hodgins 2021-07-14 19:44:00 CEST
Also, krlogin on mga8 does not appear to function. It was working on mga7.
https://bugs.mageia.org/show_bug.cgi?id=28460#c8

CC: (none) => davidwhodgins

Comment 2 Nicolas Lécureuil 2021-07-16 00:23:02 CEST
Fixed in cauldron and mga8

src:
     - krb5-1.18.3-1.1.mga8

CC: (none) => mageia
Whiteboard: MGA8TOO => (none)
Assignee: guillomovitch => qa-bugs
Version: Cauldron => 8

Comment 3 David Walser 2021-07-16 01:44:55 CEST
krb5-1.18.3-1.1.mga8
krb5-workstation-1.18.3-1.1.mga8
libkrb53-1.18.3-1.1.mga8
krb5-server-1.18.3-1.1.mga8
libkrb53-devel-1.18.3-1.1.mga8
krb5-server-ldap-1.18.3-1.1.mga8
krb5-pkinit-1.18.3-1.1.mga8

from krb5-1.18.3-1.1.mga8.src.rpm

Status comment: Patch available from Fedora => (none)

Comment 4 Dave Hodgins 2021-07-16 02:47:17 CEST
Used the procedure at https://wiki.mageia.org/en/QA_procedure:Krb5
to install krb5 and set it up with the above packages in qarepo.

I also made sure krb5kdc.service and kadmin.service were enabled and running.

It installs and sets up cleanly, however the failure of krlogin to function
noted in comment 1 is still present.

While this is not a regression over the prior mga8 versions, it is a regression
from Mageia 7.

We can validate it based on a clean install and no regression over the prior
version, but I'd prefer to fix what ever is causing krlogin to do nothing and
fix it, whether it's a packaging change or a change in the test procedure that's
needed.

Ideas?

Adding Guillaume back to the cc list as the registered maintainer for krb5.

CC: (none) => guillomovitch

Comment 5 Aurelien Oudelet 2021-07-19 22:44:47 CEST
Advisory:
========================

Updated krb5 packages fix security vulnerability:

In MIT krb5 releases 1.16 and later prior to 1.19.2, an unauthenticated attacker can cause a null dereference in the KDC by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST (CVE-2021-36222).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29260
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36222
 - https://vulmon.com/vulnerabilitydetails?qid=CVE-2021-36222
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CCCYLGJLCVVNJVOQKUGKXR2SNQIPFBFS/
========================

Updated packages in core/updates_testing:
========================
krb5-1.18.3-1.1.mga8
krb5-pkinit-1.18.3-1.1.mga8
krb5-server-1.18.3-1.1.mga8
krb5-server-ldap-1.18.3-1.1.mga8
krb5-workstation-1.18.3-1.1.mga8
lib(64)krb53-1.18.3-1.1.mga8
lib(64)krb53-devel-1.18.3-1.1.mga8

from SRPM:
krb5-1.18.3-1.1.mga8.src.rpm

CC: (none) => ouaurelien

Comment 6 Dave Hodgins 2021-07-20 01:40:49 CEST
If comment 5 is indicating the packages have been rebuilt, the release needs
to be bumped to get the replaced testing versions to propagate to the mirrors.

As is, no change from comment 4 as krlogin appears to be a no-op.
Comment 7 David Walser 2021-07-20 02:06:31 CEST
No, Comment 5 was just an advisory.  There hasn't been a response from Guillaume yet.
Comment 8 David Walser 2021-07-21 17:22:05 CEST
Fedora has issued an advisory for 1.18.x today (July 21):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FXO2RMANKAFCHYZB2DUHXIYIHVD26JDB/
Comment 9 Dave Hodgins 2021-07-22 20:53:21 CEST
Adding the feedback tag as per comment 6 and comment 4

Keywords: (none) => feedback

Comment 10 David Walser 2021-08-10 16:20:05 CEST
I recommend filing a new bug for the krlogin issue and validating this.
Comment 11 Dave Hodgins 2021-08-10 21:01:52 CEST
Why. If you can't login to the key distribution center no kerberos based
applications can work. For example telnet (after setting it up just like in m7
where it works)  ...
$ telnet x8t.hodgins.homeip.net
Trying 192.168.10.14...
Connected to x8t.hodgins.homeip.net (192.168.10.14).
Escape character is '^]'.
Unencrypted connection refused. Goodbye.

Connection closed by foreign host.

A KDC null deref is a denial of service that the update is  supposed to fix.
With the key distribution center not working, there is no service to deny, and
the update does nothing. Without a fix, the package should be dropped from
cauldron.
Comment 12 David Walser 2021-08-10 21:11:55 CEST
Well, we can't drop the package because krb5 is more than a KDC, it's also the Kerberos 5 library which is used by a ton of packages.  Since the vulnerability itself seems to just affect the server part and not the library, then you have a valid point on the update not being as important.  Perhaps Guillaume knows some way to make it work.
Comment 13 Dave Hodgins 2021-08-10 22:59:51 CEST
Regarding comment 11, that's after a non-working krlogin ...

[dave@x3 ~]$ kinit
Password for dave@X8T.HODGINS.HOMEIP.NET: 
[dave@x3 ~]$ krlogin x8t.hodgins.homeip.net
[dave@x3 ~]$ telnet x8t.hodgins.homeip.net
Trying 192.168.10.14...
Connected to x8t.hodgins.homeip.net (192.168.10.14).
Escape character is '^]'.
Unencrypted connection refused. Goodbye.

Connection closed by foreign host.

Regarding comment 12. Perhaps the package could be altered to only generate
the lib packages, not the krb5-... packages in future.
Comment 14 Dave Hodgins 2021-08-10 23:39:38 CEST
Forgot to show the kinit ...

[dave@x3 ~]$ klist
klist: No credentials cache found (filename: /tmp/krb5cc_500)
[dave@x3 ~]$ kinit
Password for dave@X8T.HODGINS.HOMEIP.NET: 
[dave@x3 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: dave@X8T.HODGINS.HOMEIP.NET

Valid starting       Expires              Service principal
2021-08-10 17:37:31  2021-08-11 17:37:31  krbtgt/X8T.HODGINS.HOMEIP.NET@X8T.HODGINS.HOMEIP.NET
        renew until 2021-08-10 17:37:31
[dave@x3 ~]$ krlogin x8t.hodgins.homeip.net
[dave@x3 ~]$ telnet x8t.hodgins.homeip.net
Trying 192.168.10.14...
Connected to x8t.hodgins.homeip.net (192.168.10.14).
Escape character is '^]'.
Unencrypted connection refused. Goodbye.

Connection closed by foreign host.
Comment 15 David Walser 2021-08-21 18:31:28 CEST
Fedora has issued an advisory today (August 21):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/P7AFEQGFR3FNSR2E7F6TUACWHAX2J4PQ/

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA8TOO
Keywords: feedback => (none)
Version: 8 => Cauldron
Assignee: qa-bugs => guillomovitch
Summary: krb5 new security issue CVE-2021-36222 => krb5 new security issues CVE-2021-36222 and CVE-2021-37750

Comment 16 David Walser 2021-10-18 21:33:29 CEST
(In reply to David Walser from comment #15)
> Fedora has issued an advisory today (August 21):
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/P7AFEQGFR3FNSR2E7F6TUACWHAX2J4PQ/

openSUSE has issued an advisory for this today (October 18):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4LN5FUC4TZVB7GKLTDOBR7UQD6W4262A/
Comment 17 Nicolas Lécureuil 2021-12-07 00:28:08 CET
new CVE is now fixed in mga8:


src:
    - krb5-1.18.3-1.2.mga8


unfortunatly it does not build on cauldron.

Status comment: Patch available from Fedora => (none)

Comment 18 David Walser 2021-12-07 00:31:03 CET
libkrb53-1.18.3-1.2.mga8
krb5-workstation-1.18.3-1.2.mga8
krb5-server-1.18.3-1.2.mga8
libkrb53-devel-1.18.3-1.2.mga8
krb5-server-ldap-1.18.3-1.2.mga8
krb5-1.18.3-1.2.mga8
krb5-pkinit-1.18.3-1.2.mga8

from krb5-1.18.3-1.2.mga8.src.rpm

Status comment: (none) => Build failure in Cauldron

Comment 19 Nicolas Lécureuil 2021-12-11 00:21:52 CET
build fixed in cauldron.

Version: Cauldron => 8
Status comment: Build failure in Cauldron => (none)
Whiteboard: MGA8TOO => (none)
Assignee: guillomovitch => qa-bugs

Comment 20 Herman Viaene 2021-12-11 12:00:45 CET
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
Tried to follow the wiki as I did inbug 24068 Comment 4, but run into trouble 
# ./bin/krb5_server_setup.sh tester8
Checking dns setup for mach5.hviaene.thuis
Good. Forward and reverse dsn settings for mach5.hviaene.thuis match
The realm name will be set to MACH5.HVIAENE.THUIS
Het volgende pakket moet worden verwijderd om andere te kunnen opwaarderen:
rsh-0.17-36.1.mga8.x86_64
 (vanwege conflicten met krb5-appl-clients) (j/N) j


    $MIRRORLIST: media/core/updates/krb5-appl-clients-1.0.3-13.1.mga8.x86_64.rpm
    $MIRRORLIST: media/core/updates/krb5-appl-servers-1.0.3-13.1.mga8.x86_64.rpm                                                                                                                                    
installeren van krb5-appl-servers-1.0.3-13.1.mga8.x86_64.rpm krb5-appl-clients-1.0.3-13.1.mga8.x86_64.rpm vanaf /var/cache/urpmi/rpms                                                                               
Voorbereiden...                  ##################################################################################################################################################################################
      1/2: krb5-appl-clients     ##################################################################################################################################################################################
      2/2: krb5-appl-servers     ##################################################################################################################################################################################
bezig met verwijderen van pakket rsh-0.17-36.1.mga8.x86_64
      1/1: verwijderen van rsh-0.17-36.1.mga8.x86_64
                                 ##################################################################################################################################################################################
Setting realm name in /var/lib/krb5kdc/kdc.conf
Removing '#' characters and setting realm and host names in /etc/krb5.conf
Setting realm name in /var/lib/krb5kdc/kadm5.acl
Creating database in /var/lib/krb5kdc/principal
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'MACH5.HVIAENE.THUIS',
master key name 'K/M@MACH5.HVIAENE.THUIS'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 
kadmin.local: No KCM server found while opening default credentials cache
kadmin.local: No KCM server found while opening default credentials cache
kadmin.local: No KCM server found while opening default credentials cache
kadmin.local: No KCM server found while opening default credentials cache
kadmin.local: No KCM server found while opening default credentials cache
kadmin.local: No KCM server found while opening default credentials cache
Redirecting to /bin/systemctl start krb5kdc.service
Redirecting to /bin/systemctl start kadmin.service
kerberos server setup complete
systemd
Opmerking: Verzoek wordt doorgestuurd naar 'systemctl enable krb5kdc.service'.
Created symlink /etc/systemd/system/multi-user.target.wants/krb5kdc.service → /usr/lib/systemd/system/krb5kdc.service.
systemd
Opmerking: Verzoek wordt doorgestuurd naar 'systemctl enable kadmin.service'.
Created symlink /etc/systemd/system/multi-user.target.wants/kadmin.service → /usr/lib/systemd/system/kadmin.service.
Copy /etc/krb5.conf to any client stations, and install krb5-appl-clients on them

And subsequent gets (of course)
$ kinit
kinit: No KCM server found while getting default ccache

CC: (none) => herman.viaene

Comment 21 Dave Hodgins 2021-12-11 21:17:16 CET
krlogin still fails to do anything.

[dave@x8v ~]$ kinit
Password for dave@X8V.HODGINS.HOMEIP.NET: 
[dave@x8v ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: dave@X8V.HODGINS.HOMEIP.NET

Valid starting       Expires              Service principal
2021-12-11 15:10:02  2021-12-12 15:10:02  krbtgt/X8V.HODGINS.HOMEIP.NET@X8V.HODGINS.HOMEIP.NET
        renew until 2021-12-11 15:10:02
[dave@x8v ~]$ krlogin $(hostname)
[dave@x8v ~]$ telnet x8v.hodgins.homeip.net
Trying 192.168.10.112...
Connected to x8v.hodgins.homeip.net (192.168.10.112).
Escape character is '^]'.
Unencrypted connection refused. Goodbye.

Connection closed by foreign host.

If I try by ip address, I at least get an error message indicating the krlogin
is being processed.
[dave@x8v ~]$ krlogin x8v.hodgins.homeip.net
[dave@x8v ~]$ host x8v.hodgins.homeip.net
x8v.hodgins.homeip.net has address 192.168.10.112
[dave@x8v ~]$ krlogin 192.168.10.112
error getting credentials: Server not found in Kerberos database

This appears to show that krlogin is getting the request, it's just failing
to setup the encrypted connection, without any error message.

This is the same as in comment 1.
Comment 22 Dave Hodgins 2021-12-11 21:19:37 CET
Adding the feedback marker again.

Keywords: (none) => feedback

Comment 23 Morgan Leijström 2022-09-19 09:31:27 CEST
I an just bumping this because it have been sitting 282 days.

CC: (none) => fri


Note You need to log in before you can comment on or make changes to this bug.