Segfaults after receiving invalid AS-REQ

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Segfaults after receiving invalid AS-REQ

Andreas Haupt-2
Dear all,

we are running KDCs on Heimdal version 7.4. Since the update to version 7.x
a few weeks ago we observe KDC segfaults after receiving invalid AS-REQ.
Looks like an evil bug to me. Anybody else seeing this?

This is logged into syslog:

Aug 30 01:38:16 fred-vm1 kdc[3364]: No client in request
Aug 30 01:38:16 fred-vm1 kdc[3364]: AS-REQ malformed client name from IPv4:125.212.217.214
Aug 30 01:38:16 fred-vm1 kernel: [1163150.404544] kdc[3364]: segfault at 18 ip 00007f102fb5de22 sp 00007ffe868a7240 error 4 in libasn1.so.8.0.0[7f102fa9c000+d6000]
Aug 30 01:38:16 fred-vm1 journal: Missed 276419 kernel messages
Aug 30 01:38:16 fred-vm1 kernel: kdc[3364]: segfault at 18 ip 00007f102fb5de22 sp 00007ffe868a7240 error 4 in libasn1.so.8.0.0[7f102fa9c000+d6000]
Aug 30 01:38:16 fred-vm1 kdc[3357]: KDC reaped worker process: 3364, term signal 11
Aug 30 01:38:16 fred-vm1 kdc[3357]: KDC worker process started: 29859

Cheers,
Andreas
--
| Andreas Haupt            | E-Mail: [hidden email]
|  DESY Zeuthen            | WWW:    http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6         | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen         | Fax:    +49/33762/7-7216



smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Segfaults after receiving invalid AS-REQ

Sergio Gelato
* Andreas Haupt [2017-08-30 09:01:08 +0200]:
> we are running KDCs on Heimdal version 7.4. Since the update to version 7.x
> a few weeks ago we observe KDC segfaults after receiving invalid AS-REQ.
> Looks like an evil bug to me. Anybody else seeing this?

Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs
the next day with the attached patch. No reaction. Not to my status query
the other day either.


fix-20170614.patch (1K) Download Attachment
signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Segfaults after receiving invalid AS-REQ

Sergio Gelato
* Sergio Gelato [2017-08-30 10:38:30 +0200]:
> * Andreas Haupt [2017-08-30 09:01:08 +0200]:
> > we are running KDCs on Heimdal version 7.4. Since the update to version 7.x
> > a few weeks ago we observe KDC segfaults after receiving invalid AS-REQ.
> > Looks like an evil bug to me. Anybody else seeing this?
>
> Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs
> the next day with the attached patch. No reaction. Not to my status query
> the other day either.

To elaborate: as far as I can tell this is "only" a DoS. Trivial to exploit:
just send an AS-REQ with no cname field (how to make such a packet is left
as an exercise). Can be over UDP.

I'm not sure the shodan user who did this to one of my KDCs that day knew
when (s)he was doing. Haven't had any further problems since I applied that
patch.
Reply | Threaded
Open this post in threaded view
|

Re: Segfaults after receiving invalid AS-REQ

Andreas Haupt-2
In reply to this post by Sergio Gelato
Hi Sergio,

On Wed, 2017-08-30 at 10:38 +0200, Sergio Gelato wrote:
> * Andreas Haupt [2017-08-30 09:01:08 +0200]:
> >
> > we are running KDCs on Heimdal version 7.4. Since the update to version
> > 7.x
> > a few weeks ago we observe KDC segfaults after receiving invalid AS-REQ.
> > Looks like an evil bug to me. Anybody else seeing this?
> Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs
> the next day with the attached patch. No reaction. Not to my status query
> the other day either.

Thanks! I try your patch!

Cheers,
Andreas
--
| Andreas Haupt            | E-Mail: [hidden email]
|  DESY Zeuthen            | WWW:    http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6         | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen         | Fax:    +49/33762/7-7216



smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Segfaults after receiving invalid AS-REQ

Jeffrey Altman-2
In reply to this post by Sergio Gelato
On 8/30/2017 4:38 AM, Sergio Gelato wrote:
> * Andreas Haupt [2017-08-30 09:01:08 +0200]:
>> we are running KDCs on Heimdal version 7.4. Since the update to version 7.x
>> a few weeks ago we observe KDC segfaults after receiving invalid AS-REQ.
>> Looks like an evil bug to me. Anybody else seeing this?
>
> Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs
> the next day with the attached patch. No reaction. Not to my status query
> the other day either.

I diagnosed this problem as well and there is a patch waiting to be
included in a subsequent release.

We did not receive the e-mail you sent to [hidden email].  If we
had we would have responded.  I am now researching where that message is
sitting.

Jeffrey Altman



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Segfaults after receiving invalid AS-REQ

Lars-Johan Liman-2
On 8/30/2017 4:38 AM, Sergio Gelato wrote:
>> Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs
>> the next day with the attached patch. No reaction. Not to my status query
>> the other day either.

[hidden email]:
> I diagnosed this problem as well and there is a patch waiting to be
> included in a subsequent release.

Just curious: is this patch available in the Github repository or does
"waiting" mean somewhere else?

                                Cheers,
                                  /Liman
#----------------------------------------------------------------------
# Lars-Johan Liman, M.Sc.               !  E-mail: [hidden email]
# Senior Systems Specialist             !  Tel: +46 8 - 562 860 12
# Netnod Internet Exchange, Stockholm   !  http://www.netnod.se/
#----------------------------------------------------------------------
Reply | Threaded
Open this post in threaded view
|

Re: Segfaults after receiving invalid AS-REQ

Jeffrey Altman-2
On 8/31/2017 5:54 AM, Lars-Johan Liman wrote:

> On 8/30/2017 4:38 AM, Sergio Gelato wrote:
>>> Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs
>>> the next day with the attached patch. No reaction. Not to my status query
>>> the other day either.
>
> [hidden email]:
>> I diagnosed this problem as well and there is a patch waiting to be
>> included in a subsequent release.
>
> Just curious: is this patch available in the Github repository or does
> "waiting" mean somewhere else?
Its not in the repository.







smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Segfaults after receiving invalid AS-REQ

Lars-Johan Liman-2
On 8/30/2017 4:38 AM, Sergio Gelato wrote:
>>>> Yes. Saw in on 2017-06-14, filed an encrypted bug report to
>>>> heimdal-bugs the next day with the attached patch. No reaction. Not
>>>> to my status query the other day either.

[hidden email]:
>>> I diagnosed this problem as well and there is a patch waiting to be
>>> included in a subsequent release.

On 8/31/2017 5:54 AM, Lars-Johan Liman wrote:
>> Just curious: is this patch available in the Github repository or does
>> "waiting" mean somewhere else?

[hidden email]:
> Its not in the repository.

Ack. Thanks.

                                Cheers,
                                  /Liman
Reply | Threaded
Open this post in threaded view
|

Re: Segfaults after receiving invalid AS-REQ

Patrik Lundin-2
In reply to this post by Jeffrey Altman-2
On 2017-08-30 09:53:50, Jeffrey Altman wrote:

> On 8/30/2017 4:38 AM, Sergio Gelato wrote:
> > * Andreas Haupt [2017-08-30 09:01:08 +0200]:
> >> we are running KDCs on Heimdal version 7.4. Since the update to version 7.x
> >> a few weeks ago we observe KDC segfaults after receiving invalid AS-REQ.
> >> Looks like an evil bug to me. Anybody else seeing this?
> >
> > Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs
> > the next day with the attached patch. No reaction. Not to my status query
> > the other day either.
>
> I diagnosed this problem as well and there is a patch waiting to be
> included in a subsequent release.
>

Looking at the patch published by Sergio it appears to me that the
offending variables were introduced 2015-02-13
(a873e21d7c06f22943a90a41dc733ae76799390d). I guess this means releases
prior to this date are safe from this specific DoS while it effects
everything since.

Do you have any idea when a new release fixing this will be made
available?  I am just asking because it appears no official 7.x release
is suitable for use as a public facing KDC at this time.

Regards,
Patrik Lundin
Reply | Threaded
Open this post in threaded view
|

Re: Segfaults after receiving invalid AS-REQ

Patrik Lundin-2
In reply to this post by Lars-Johan Liman-2
On 2017-08-31 15:08:08, Lars-Johan Liman wrote:

> On 8/31/2017 5:54 AM, Lars-Johan Liman wrote:
> >> Just curious: is this patch available in the Github repository or does
> >> "waiting" mean somewhere else?
>
> [hidden email]:
> > Its not in the repository.
>
> Ack. Thanks.
>
> Cheers,
>  /Liman

For anyone interested I saw Debian Security Advisory DSA-4055-1
(relating to newly published CVE-2017-17439) which is regarding the
problem discussed in this thread.

This made me look in the repo and the upstream fix is now public:
https://github.com/heimdal/heimdal/commit/1a6a6e462dc2ac6111f9e02c6852ddec4849b887

Here is an issue with additional information:
https://github.com/heimdal/heimdal/issues/353

--
Patrik Lundin