remctl 2018-04-01 Security Advisory

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

remctl 2018-04-01 Security Advisory

Russ Allbery-2
Vulnerability type:  Use after free, double free
Versions affected:   3.12 and 3.13
Versions fixed:      3.14 and later
Reported:            2018-03-30
Public announcement: 2018-04-01
CVE IDs:             CVE-2018-0493

Santosh Ananthakrishnan discovered incorrect memory management in the
remctld and remctl-shell servers when handling commands with the sudo
configuration option. For remctld, it may be possible (although appears to
be difficult) for a client to execute arbitrary commands on the server. To
exploit this vulnerability, the client must have access to run a command
that uses the sudo configuration option. The client would then need to run
the command using sudo multiple times in a single connection using
keep-alive.

I'm not aware of any exploits in the wild. remctl-shell is not affected,
only remctld.

This problem has been fixed in remctl 3.14, available from:

  https://www.eyrie.org/~eagle/software/remctl/

It has also been fixed in Debian stable (stretch) in the 3.13-1+deb9u1
package version, and in Debian unstable in the 3.14-1 package version.
Only the remctl-server package is affected. This bug is not present in
older Debian releases.

My apologies for this memory management error. It's an obvious error in
context and was probably left over from a code refactoring when developing
the sudo feature. I hope to include better automated memory management
testing in the next release of remctl after 3.14.

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos