CVE-2023-36054: Uninitialized Pointer Causes Crash in MIT Kerberos 5 Before 1.20.2 and 1.21.x Before 1.21.1

A new vulnerability, identified as CVE-2023-36054, has been discovered in the codebase of MIT Kerberos 5 (Krb5). This security flaw affects versions before 1.20.2 and 1.21.x before 1.21.1. By exploiting this vulnerability, a remote authenticated user can trigger a crash in kadmind, which is the administrative server for managing Kerberos principals, policies, and service keys. The issue stems from _xdr_kadm5_principal_ent_rec, which fails to validate the relationship between n_key_data and the key_data array count, resulting in the freeing of an uninitialized pointer.

Original References

- MIT KRB5 Security Advisory: https://github.com/krb5/krb5/blob/master/doc/README.kadmind_crash
- MITRE CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36054

Affected Code Snippet

The problematic code can be found inside the file lib/kadm5/kadm_rpc_xdr.c. The function _xdr_kadm5_principal_ent_rec fails to carry out the necessary validation between n_key_data and the key_data array.

bool_t
_xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp)
{
    register int32_t *buf;
...
    if (!xdr_array(xdrs, (caddr_t *)&objp->key_data, (u_int *)&objp->n_key_data,
                   xffffffff, sizeof(kadm5_key_data),
                   (xdrproc_t)xdr_kadm5_key_data))
        return FALSE;
    return (xdr_u_int32(xdrs, &objp->pw_expiration) &&
            xdr_u_int32(xdrs, &objp->last_pw_change) &&

Exploit Details

To exploit this vulnerability, an attacker would need access to a valid authentication token to connect remotely to kadmind. After authenticating successfully, the attacker can then send a malformed request to kadmind server, with manipulated n_key_data and key_data values that do not match.

When the _xdr_kadm5_principal_ent_rec function is then called, the incorrectly sized array and unmatched n_key_data value leads to the freeing of an uninitialized pointer, causing the kadmind server to crash.

Mitigation

To address this vulnerability, users are advised to update their systems by installing new versions of MIT Kerberos 5 (krb5), which are not affected by this bug. The recommended versions are 1.20.2 or 1.21.1 and subsequent versions. You can download the updated software from the following link:

- https://web.mit.edu/kerberos/krb5-latest.html

In addition, it is necessary to restrict access to the kadmind service to only trusted users and administrators, as well as limit network access to the service by using network filters and firewalls.

Conclusion

The CVE-2023-36054 vulnerability in MIT Kerberos 5 could potentially enable an attacker to crash the kadmind server, leading to a disruption in services for users and administrators. By updating your krb5 software to the latest patched versions and restricting access to the kadmind service, you can ensure the security of your systems and protect against this security flaw.

Timeline

Published on: 08/07/2023 19:15:00 UTC
Last modified on: 08/15/2023 17:57:00 UTC