[19711] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Is the vulnerability CVE-2017-11462 applicable to older MIT

daemon@ATHENA.MIT.EDU (Sergey Emantayev)
Wed Jan 17 06:43:12 2018

Date: Wed, 17 Jan 2018 11:42:47 +0000 (UTC)
From: Sergey Emantayev <sergeem@yahoo.com>
To: "krbdev@mit.edu" <krbdev@mit.edu>, Greg Hudson <ghudson@mit.edu>
Message-ID: <1180419751.4953783.1516189367693@mail.yahoo.com>
In-Reply-To: <f9534ab2-e3db-fbc5-f403-d9143131934d@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit

Hi Greg,
Sorry for the delayed response. How can I identify an incorrect usage of gss_init_sec_context / gss_accept_sec_context?
Thanks,Sergey Emantayev
 

    On Sunday, December 3, 2017, 8:22:28 PM GMT+2, Greg Hudson <ghudson@mit.edu> wrote:  
 
 On 12/03/2017 05:10 AM, Sergey Emantayev wrote:
> We're using a 3rd party software integrated with the MIT Kerberos 5 library version 1.9.1. This is used to communicate to MS Active Directory in Linux. I found a fix is available for the latest versions 1.13, 1.14, 1.15: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598. However should we apply (back port) the fix to our library 1.9.1? I know that they made few patches in the original MIT Kerberos code, I'm in doubt about an upgrade option.

The accept_sec_context part of the change affects 1.9, but the
init_sec_context part does not.

You may also be able to ignore this CVE, if your application correctly
uses the GSS-API.  An exploitable vulnerability only arises when an
application incorrectly uses gss_init_sec_context() or
gss_accept_sec_context().  This was a weird case where we assigned a CVE
based on conformant but less-than-ideally-safe API behavior, because we
knew it had contributed to a vulnerability in at least one caller.
  
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev


home help back first fref pref prev next nref lref last post