Re: [Heimdal-announce] Heimdal 7.4 security release announcement.

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: [Heimdal-announce] Heimdal 7.4 security release announcement.

Andrew Bartlett
On Tue, 2017-07-11 at 14:34 -0400, [hidden email] wrote:

> Dear Heimdal Community,
>
> A team consisting of staff from Two Sigma Open Source and AuriStor are
> pleased to announce the release of Heimdal 7.4.
>
> The release download page is:
>
>     https://github.com/heimdal/heimdal/releases/tag/heimdal-7.4.0
>
> The source tarball can be downloaded from:
>
>     https://github.com/heimdal/heimdal/releases/download/heimdal-7.4.0/heimdal-7.4.0.tar.gz
>     https://github.com/heimdal/heimdal/releases/download/heimdal-7.4.0/heimdal-7.4.0.tar.gz.sig
>
>     SHA256(heimdal-7.4.0.tar.gz)= 3de14ecd36ad21c1694a13da347512b047f4010d176fe412820664cb5d1429ad
>     SHA1(heimdal-7.4.0.tar.gz)= e496db36f8a232c3b1aa87a1e08f299b6f8f57a5
>
> The signature key fingerprint is: E659 41B7 1CF3 C459 A34F  A89C 45E7 572A 28CD 8CC8
>
> Changes in Heimdal 7.4:
>
>  Security
>
>  - Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
>
>    This is a critical vulnerability.
>
>    In _krb5_extract_ticket() the KDC-REP service name must be obtained from
>    encrypted version stored in 'enc_part' instead of the unencrypted version
>    stored in 'ticket'.  Use of the unecrypted version provides an
>    opportunity for successful server impersonation and other attacks.
>
>    Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
>
>    See https://www.orpheus-lyre.info/ for more details.

Are there any tests for this yet?

I need to port this to a much older release of Samba, and while it
appears to cleanly apply, we have some custom code setting some of the
flags on:
    /*
     * HACK:
     * this is really a ugly hack, to support using the Netbios Domain
Name
     * as realm against windows KDC's, they always return the full
realm
     * based on the DNS Name.
     */
    flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
    flags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;

I plan to write some tests in Samba's test framework, which allows
manipulation of the 'wire' packets via the send_to_kdc handler.

Our bug for this is https://bugzilla.samba.org/show_bug.cgi?id=12894

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba