Bug#991365: krb5: CVE-2021-36222
Yes, I started working on an upload for buster, but got a bit sidetracked since the 1.17-3+deb10u1 in the archive was not imported into the packaging repo previously. I expect to make progress today. -Ben
Bug#991365: krb5: CVE-2021-36222
Hi Benjamin, On Wed, Jul 21, 2021 at 10:37:55AM -0700, Benjamin Kaduk wrote: > On Wed, Jul 21, 2021 at 07:13:49PM +0200, Salvatore Bonaccorso wrote: > > > > On Wed, Jul 21, 2021 at 10:01:23AM -0600, Sam Hartman wrote: > > > > About buster: Given the above we can fix via the upcoming point > > release for buster, I guess that can be enough in this case. What > > would happen if the unauthenticated user "hammers" with it the KDC > > which is then continously restarted, what would be the impact? Sorry > > for my ignorance. > > I believe that given the relative network traffic flows, KDC startup time, > and systemd behavior, a dedicated attacker flooding the "bad" packets > towards a KDC would be able to effectively DoS the legitimate clients with > a relatively small outbound pipe. It would not be a full DoS, since some > legitimiate requests would be handled, but the legitimate clients have a > well-behaved retry and backoff timer and it is easy for the attacker to win > the race. Sites typically have multiple KDCs for redundancy, but they are > typically all discoverable by all clients, including the attacker. > Furthermore, if the KDC is crashing repeatedly on startup, my recollection > is that systemd will back off how quickly it is restarted and may > eventually disable the unit entirely. > > The mitigating factor here is that an administrator would in theory be able > to detect the bad traffic and block it with a firewall, but that turns into > a cat and mouse game that a dedicated attacker will probably win. > > Which, all together, might actually support serious after all rather than > important. Okay in this case, I guess you convinced me that a DSA might be appropriate. Would you be available to prepare an update for buster-security accordingly as well? I see you filled as well #991374 for an unblock into bullseye, thank you. We should make sure this get accepted. Regards, Salvatore
Bug#991365: krb5: CVE-2021-36222
On Wed, Jul 21, 2021 at 07:13:49PM +0200, Salvatore Bonaccorso wrote: > > On Wed, Jul 21, 2021 at 10:01:23AM -0600, Sam Hartman wrote: > > About buster: Given the above we can fix via the upcoming point > release for buster, I guess that can be enough in this case. What > would happen if the unauthenticated user "hammers" with it the KDC > which is then continously restarted, what would be the impact? Sorry > for my ignorance. I believe that given the relative network traffic flows, KDC startup time, and systemd behavior, a dedicated attacker flooding the "bad" packets towards a KDC would be able to effectively DoS the legitimate clients with a relatively small outbound pipe. It would not be a full DoS, since some legitimiate requests would be handled, but the legitimate clients have a well-behaved retry and backoff timer and it is easy for the attacker to win the race. Sites typically have multiple KDCs for redundancy, but they are typically all discoverable by all clients, including the attacker. Furthermore, if the KDC is crashing repeatedly on startup, my recollection is that systemd will back off how quickly it is restarted and may eventually disable the unit entirely. The mitigating factor here is that an administrator would in theory be able to detect the bad traffic and block it with a firewall, but that turns into a cat and mouse game that a dedicated attacker will probably win. Which, all together, might actually support serious after all rather than important. -Ben
Bug#991365: krb5: CVE-2021-36222
Hi Sam, On Wed, Jul 21, 2021 at 10:01:23AM -0600, Sam Hartman wrote: > control: severity -1 important > > Salvatore> The following vulnerability was published for krb5. > > Salvatore> CVE-2021-36222[0]: | sending a request containing a > Salvatore> PA-ENCRYPTED-CHALLENGE padata element | without using > Salvatore> FAST could result in null dereference in the KDC which | > Salvatore> leads to DoS > > On a Debian system with systemd, the KDC will restart, significantly > limiting the impact of this bug. Ack thanks for giving the background. > I'm going to argue for important, although if you want to push to > serious, I won't fight it. Don't worry I won't fight it as well. My reason for filling it as RC would be mainly to have some further weight towards hving the fix in time for bullseye before the bullseye release. > I'm busy with Family obligat scattered throughout the day ions, but > it sounded like Benjamin Kaduk might be available to help. > If not, I'll have some time and be back to general availability by > Sunday. Family has priority :). In any case given the question was raised, my feeling is the following: Try to get the fix in bullseye in time, via a targetted fix, ask release team for an unblock. Note here that when we fill bugs in the BTS, the choosen severity is more an indication how we feel the fix should land in the next stable release, and might be completely orthogonal to a DSA or no-DSA decision (in fact you fill all possible cases, from important filled bugs warranting a DSA, to RC severity bugs not warranting a DSA and asking to schedule fixes via point releases). About buster: Given the above we can fix via the upcoming point release for buster, I guess that can be enough in this case. What would happen if the unauthenticated user "hammers" with it the KDC which is then continously restarted, what would be the impact? Sorry for my ignorance. Thanks for your promt action! Regards, Salvatore
Bug#991365: krb5: CVE-2021-36222
> "Benjamin" == Benjamin Kaduk writes: Benjamin> On Wed, Jul 21, 2021 at 10:01:23AM -0600, Sam Hartman wrote: >> control: severity -1 important >> Salvatore> The following vulnerability was published for krb5. >> Salvatore> CVE-2021-36222[0]: | sending a request containing a Salvatore> PA-ENCRYPTED-CHALLENGE padata element | without using Salvatore> FAST could result in null dereference in the KDC which | Salvatore> leads to DoS >> >> On a Debian system with systemd, the KDC will restart, >> significantly limiting the impact of this bug. I'm going to >> argue for important, although if you want to push to serious, I >> won't fight it. I'm busy with Family obligat scattered >> throughout the day ions, but it sounded like Benjamin Kaduk might >> be available to help. Benjamin> Yes, I have some time to help. Given that Salvatore filed Benjamin> the report, I am assuming that this would qualify for a Benjamin> security upload for stretch. It looks like stretch has version 1.15, but buster is vulnerable, and I'd assume you could coordinate with the security team for a buster security upload. Benjamin> However, the upstream commit Benjamin> claims that only krb5 1.16 and later are affected, so I Benjamin> will attempt to check whether stretch is actually Benjamin> affected. Benjamin> If I understand correctly given the current state of Benjamin> buster freeze, I will need to upload the targeted fix to Benjamin> sid and request an unblock (as opposed to being able to do Benjamin> a security upload). s^buster^bullseye and yes.
Bug#991365: krb5: CVE-2021-36222
On Wed, Jul 21, 2021 at 10:01:23AM -0600, Sam Hartman wrote: > control: severity -1 important > > Salvatore> The following vulnerability was published for krb5. > > Salvatore> CVE-2021-36222[0]: | sending a request containing a > Salvatore> PA-ENCRYPTED-CHALLENGE padata element | without using > Salvatore> FAST could result in null dereference in the KDC which | > Salvatore> leads to DoS > > On a Debian system with systemd, the KDC will restart, significantly > limiting the impact of this bug. > I'm going to argue for important, although if you want to push to > serious, I won't fight it. > I'm busy with Family obligat scattered throughout the day ions, but it > sounded like Benjamin Kaduk > might be available to help. Yes, I have some time to help. Given that Salvatore filed the report, I am assuming that this would qualify for a security upload for stretch. However, the upstream commit claims that only krb5 1.16 and later are affected, so I will attempt to check whether stretch is actually affected. If I understand correctly given the current state of buster freeze, I will need to upload the targeted fix to sid and request an unblock (as opposed to being able to do a security upload). -Ben
Bug#991365: krb5: CVE-2021-36222
control: severity -1 important Salvatore> The following vulnerability was published for krb5. Salvatore> CVE-2021-36222[0]: | sending a request containing a Salvatore> PA-ENCRYPTED-CHALLENGE padata element | without using Salvatore> FAST could result in null dereference in the KDC which | Salvatore> leads to DoS On a Debian system with systemd, the KDC will restart, significantly limiting the impact of this bug. I'm going to argue for important, although if you want to push to serious, I won't fight it. I'm busy with Family obligat scattered throughout the day ions, but it sounded like Benjamin Kaduk might be available to help. If not, I'll have some time and be back to general availability by Sunday. --Sam
Bug#991365: krb5: CVE-2021-36222
Source: krb5 Version: 1.18.3-5 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for krb5. CVE-2021-36222[0]: | sending a request containing a PA-ENCRYPTED-CHALLENGE padata element | without using FAST could result in null dereference in the KDC which | leads to DoS If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-36222 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36222 [1] https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562 Please adjust the affected versions in the BTS as needed. Regards, Salvatore