Bug#878144: marked as done (CVE-2017-17439: Remote unauthenticated DoS in Heimdal-KDC 7.1)
Your message dated Fri, 15 Dec 2017 03:05:33 + with message-idand subject line Bug#878144: fixed in heimdal 7.5.0+dfsg-1 has caused the Debian Bug report #878144, regarding CVE-2017-17439: Remote unauthenticated DoS in Heimdal-KDC 7.1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 878144: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878144 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: heimdal-kdc Version: 7.1.0+dfsg-13+deb9u1 amd64 Severity: important We are running heimdal-kdc 7.1.0+dfsg-13+deb9u1 amd64 shipped with Debian stretch for our Domain and have discovered several crashes in the past few months. Investigation showed that dmesg contained several logs about segfaults: [Fr Jun 23 12:07:17 2017] kdc[14596]: segfault at 18 ip 7f65c02ef5d0 sp 7ffd1d7f7298 error 4 in libasn1.so.8.0.0[7f65c0268000+a7000] [Di Jun 27 21:37:26 2017] kdc[10087]: segfault at 18 ip 7f65c02ef5d0 sp 7ffd1d7f7298 error 4 in libasn1.so.8.0.0[7f65c0268000+a7000] [Mo Jul 3 16:18:39 2017] kdc[2656]: segfault at 18 ip 7fa27ec105d0 sp 7ffedcb061f8 error 4 in libasn1.so.8.0.0[7fa27eb89000+a7000] [So Jul 9 08:55:39 2017] kdc[6092]: segfault at 18 ip 7fa27ec105d0 sp 7ffedcb061f8 error 4 in libasn1.so.8.0.0[7fa27eb89000+a7000] [Di Jul 11 13:06:14 2017] kdc[28993]: segfault at 18 ip 7fb9dccda5d0 sp 7ffc6e2ee648 error 4 in libasn1.so.8.0.0[7fb9dcc53000+a7000] [Di Jul 11 23:39:40 2017] kdc[32211]: segfault at 18 ip 7fb9dccda5d0 sp 7ffc6e2ee648 error 4 in libasn1.so.8.0.0[7fb9dcc53000+a7000] [Sa Jul 15 13:20:17 2017] kdc[6902]: segfault at 18 ip 7fb76d5ef5d0 sp 7ffc22a84078 error 4 in libasn1.so.8.0.0[7fb76d568000+a7000] [Fr Jul 21 12:17:37 2017] kdc[9219]: segfault at 18 ip 7fdfcbf2b5d0 sp 7ffe9f295128 error 4 in libasn1.so.8.0.0[7fdfcbea4000+a7000] [So Jul 23 21:10:59 2017] kdc[26977]: segfault at 18 ip 7fdfcbf2b5d0 sp 7ffe9f295128 error 4 in libasn1.so.8.0.0[7fdfcbea4000+a7000] [So Aug 6 12:06:04 2017] kdc[26494]: segfault at 18 ip 7f342c8d35d0 sp 7fff8ae39088 error 4 in libasn1.so.8.0.0[7f342c84c000+a7000] [Di Aug 15 15:21:41 2017] kdc[28412]: segfault at 18 ip 7f4780b605d0 sp 7ffd63250328 error 4 in libasn1.so.8.0.0[7f4780ad9000+a7000] [Mi Aug 16 08:46:13 2017] kdc[5166]: segfault at 18 ip 7f4780b605d0 sp 7ffd63250328 error 4 in libasn1.so.8.0.0[7f4780ad9000+a7000] [Di Aug 29 04:01:58 2017] kdc[5268]: segfault at 18 ip 7f31fdd065d0 sp 7ffd8392c748 error 4 in libasn1.so.8.0.0[7f31fdc7f000+a7000] [Fr Sep 1 16:56:57 2017] kdc[13396]: segfault at 18 ip 7f31fdd065d0 sp 7ffd8392c748 error 4 in libasn1.so.8.0.0[7f31fdc7f000+a7000] [Mo Sep 11 20:10:45 2017] kdc[16093]: segfault at 18 ip 7f8a096715d0 sp 7ffd48ba4b28 error 4 in libasn1.so.8.0.0[7f8a095ea000+a7000] [Di Sep 12 13:46:17 2017] kdc[24683]: segfault at 18 ip 7f8a096715d0 sp 7ffd48ba4b28 error 4 in libasn1.so.8.0.0[7f8a095ea000+a7000] The heimdal-kdc log gave us additional information: lofar log # zgrep "AS-REQ malformed client name" heimdal-kdc.log* heimdal-kdc.log:2017-09-11T20:10:46 AS-REQ malformed client name from IPv4:80.82.77.139 heimdal-kdc.log:2017-09-12T13:46:18 AS-REQ malformed client name from IPv4:185.100.87.246 heimdal-kdc.log.2.gz:2017-08-29T04:01:59 AS-REQ malformed client name from IPv4:71.6.135.131 heimdal-kdc.log.2.gz:2017-09-01T16:56:58 AS-REQ malformed client name from IPv4:34.208.25.133 heimdal-kdc.log.4.gz:2017-08-15T15:21:41 AS-REQ malformed client name from IPv4:96.126.127.61 heimdal-kdc.log.4.gz:2017-08-16T08:46:13 AS-REQ malformed client name from IPv4:71.6.158.166 heimdal-kdc.log.5.gz:2017-08-06T12:06:05 AS-REQ malformed client name from IPv4:71.6.167.142 The KDC was directly reachable over the Internet - those IPs do not belong to us but seemed to send packets crashing our master or our slave (we observed the same there). While waiting to capture one of those packets and reproduce the issues, my colleague Thomas Kittel located the part of the code responsible for the crash: * RIP in libasn1.so.0 (relativ) 0x875d0. * "der_length_visible_string@@HEIMDAL_ASN1_1.0" 875d0: 48 8b 3fmovrdi,QWORD PTR [rdi] 875d3: e9 e8 83 f9 ff jmp1f9c0 875d8: 0f 1f 84 00 00 00 00nopDWORD PTR [rax+rax*1+0x0] 875df: 00 * Source: https://github.com/heimdal/heimdal/blob/master/lib/asn1/der_length.c size_t
Bug#878144: marked as done (CVE-2017-17439: Remote unauthenticated DoS in Heimdal-KDC 7.1)
Your message dated Sat, 09 Dec 2017 12:02:38 + with message-idand subject line Bug#878144: fixed in heimdal 7.1.0+dfsg-13+deb9u2 has caused the Debian Bug report #878144, regarding CVE-2017-17439: Remote unauthenticated DoS in Heimdal-KDC 7.1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 878144: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878144 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: heimdal-kdc Version: 7.1.0+dfsg-13+deb9u1 amd64 Severity: important We are running heimdal-kdc 7.1.0+dfsg-13+deb9u1 amd64 shipped with Debian stretch for our Domain and have discovered several crashes in the past few months. Investigation showed that dmesg contained several logs about segfaults: [Fr Jun 23 12:07:17 2017] kdc[14596]: segfault at 18 ip 7f65c02ef5d0 sp 7ffd1d7f7298 error 4 in libasn1.so.8.0.0[7f65c0268000+a7000] [Di Jun 27 21:37:26 2017] kdc[10087]: segfault at 18 ip 7f65c02ef5d0 sp 7ffd1d7f7298 error 4 in libasn1.so.8.0.0[7f65c0268000+a7000] [Mo Jul 3 16:18:39 2017] kdc[2656]: segfault at 18 ip 7fa27ec105d0 sp 7ffedcb061f8 error 4 in libasn1.so.8.0.0[7fa27eb89000+a7000] [So Jul 9 08:55:39 2017] kdc[6092]: segfault at 18 ip 7fa27ec105d0 sp 7ffedcb061f8 error 4 in libasn1.so.8.0.0[7fa27eb89000+a7000] [Di Jul 11 13:06:14 2017] kdc[28993]: segfault at 18 ip 7fb9dccda5d0 sp 7ffc6e2ee648 error 4 in libasn1.so.8.0.0[7fb9dcc53000+a7000] [Di Jul 11 23:39:40 2017] kdc[32211]: segfault at 18 ip 7fb9dccda5d0 sp 7ffc6e2ee648 error 4 in libasn1.so.8.0.0[7fb9dcc53000+a7000] [Sa Jul 15 13:20:17 2017] kdc[6902]: segfault at 18 ip 7fb76d5ef5d0 sp 7ffc22a84078 error 4 in libasn1.so.8.0.0[7fb76d568000+a7000] [Fr Jul 21 12:17:37 2017] kdc[9219]: segfault at 18 ip 7fdfcbf2b5d0 sp 7ffe9f295128 error 4 in libasn1.so.8.0.0[7fdfcbea4000+a7000] [So Jul 23 21:10:59 2017] kdc[26977]: segfault at 18 ip 7fdfcbf2b5d0 sp 7ffe9f295128 error 4 in libasn1.so.8.0.0[7fdfcbea4000+a7000] [So Aug 6 12:06:04 2017] kdc[26494]: segfault at 18 ip 7f342c8d35d0 sp 7fff8ae39088 error 4 in libasn1.so.8.0.0[7f342c84c000+a7000] [Di Aug 15 15:21:41 2017] kdc[28412]: segfault at 18 ip 7f4780b605d0 sp 7ffd63250328 error 4 in libasn1.so.8.0.0[7f4780ad9000+a7000] [Mi Aug 16 08:46:13 2017] kdc[5166]: segfault at 18 ip 7f4780b605d0 sp 7ffd63250328 error 4 in libasn1.so.8.0.0[7f4780ad9000+a7000] [Di Aug 29 04:01:58 2017] kdc[5268]: segfault at 18 ip 7f31fdd065d0 sp 7ffd8392c748 error 4 in libasn1.so.8.0.0[7f31fdc7f000+a7000] [Fr Sep 1 16:56:57 2017] kdc[13396]: segfault at 18 ip 7f31fdd065d0 sp 7ffd8392c748 error 4 in libasn1.so.8.0.0[7f31fdc7f000+a7000] [Mo Sep 11 20:10:45 2017] kdc[16093]: segfault at 18 ip 7f8a096715d0 sp 7ffd48ba4b28 error 4 in libasn1.so.8.0.0[7f8a095ea000+a7000] [Di Sep 12 13:46:17 2017] kdc[24683]: segfault at 18 ip 7f8a096715d0 sp 7ffd48ba4b28 error 4 in libasn1.so.8.0.0[7f8a095ea000+a7000] The heimdal-kdc log gave us additional information: lofar log # zgrep "AS-REQ malformed client name" heimdal-kdc.log* heimdal-kdc.log:2017-09-11T20:10:46 AS-REQ malformed client name from IPv4:80.82.77.139 heimdal-kdc.log:2017-09-12T13:46:18 AS-REQ malformed client name from IPv4:185.100.87.246 heimdal-kdc.log.2.gz:2017-08-29T04:01:59 AS-REQ malformed client name from IPv4:71.6.135.131 heimdal-kdc.log.2.gz:2017-09-01T16:56:58 AS-REQ malformed client name from IPv4:34.208.25.133 heimdal-kdc.log.4.gz:2017-08-15T15:21:41 AS-REQ malformed client name from IPv4:96.126.127.61 heimdal-kdc.log.4.gz:2017-08-16T08:46:13 AS-REQ malformed client name from IPv4:71.6.158.166 heimdal-kdc.log.5.gz:2017-08-06T12:06:05 AS-REQ malformed client name from IPv4:71.6.167.142 The KDC was directly reachable over the Internet - those IPs do not belong to us but seemed to send packets crashing our master or our slave (we observed the same there). While waiting to capture one of those packets and reproduce the issues, my colleague Thomas Kittel located the part of the code responsible for the crash: * RIP in libasn1.so.0 (relativ) 0x875d0. * "der_length_visible_string@@HEIMDAL_ASN1_1.0" 875d0: 48 8b 3fmovrdi,QWORD PTR [rdi] 875d3: e9 e8 83 f9 ff jmp1f9c0 875d8: 0f 1f 84 00 00 00 00nopDWORD PTR [rax+rax*1+0x0] 875df: 00 * Source: https://github.com/heimdal/heimdal/blob/master/lib/asn1/der_length.c size_t