[SECURITY ADVISORY] gsasl: Server out-of-bounds read with authenticated

help-gsasl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY ADVISORY] gsasl: Server out-of-bounds read with authenticated

From:	Simon Josefsson
Subject:	[SECURITY ADVISORY] gsasl: Server out-of-bounds read with authenticated malicious GSS-API client
Date:	Fri, 15 Jul 2022 18:01:25 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)

Server out-of-bounds read with authenticated malicious GSS-API client
=====================================================================

Security Vulnerability
----------------------

A malicious client can after it has authenticated with Kerberos send a
specially crafted message that causes Libgsasl to read out of bounds
and cause a crash in the server.

The vulnerability only occur on the server; only when Libgsasl is
built with GSS-API support; and only when the server has completed a
successful Kerberos authentication.

We are not aware of any exploit of this flaw.

Information
-----------

The problem was found during internal code review when writing CI/CD
test cases covering the relevant code.

The vulnerability has been in GNU SASL since the initial commit on
2002-10-07 that went into version 0.0.0:

https://gitlab.com/gsasl/gsasl/-/blob/a6ad380cf0ec51561b4cc58fae98e5c68d28d325/lib/gssapi.c#L504

The code from version 2.0.0 is here:

https://gitlab.com/gsasl/gsasl/-/blob/v2.0.0/lib/gssapi/server.c#L205

It unpacks a buffer using gss_unwrap (which decrypt and integrity
check that the buffer comes from an authenticated client) and then
fail to check buffer length conditions before reading from the string.
The code incorrectly trust the already authenticated client to only
send messages conforming to the protocol, but it should have carefully
checked if that is true.

Affected versions
-----------------

All versions of GNU SASL released before version 2.0.1.

Solution
--------

Version 2.0.1 includes the following patch:

https://gitlab.com/gsasl/gsasl/-/commit/796e4197f696261c1f872d7576371232330bcc30

We recommend you to upgrade to version 2.0.1, and only if that is too
unpractical we recommended you to apply the patch.

History
-------

The problem was discovered on 2022-07-14 and the first version of this
advisory was released on 2022-07-15 together with a patch and the new
release 2.0.1.

Credits
-------

Report and patch by Simon Josefsson.

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[SECURITY ADVISORY] gsasl: Server out-of-bounds read with authenticated malicious GSS-API client, Simon Josefsson <=
- Reproducing GSS-API server vulnerability, Simon Josefsson, 2022/07/15

Prev by Date: gsasl-2.0.1 released [stable]
Next by Date: Reproducing GSS-API server vulnerability
Previous by thread: gsasl-2.0.1 released [stable]
Next by thread: Reproducing GSS-API server vulnerability
Index(es):
- Date
- Thread