CVE-2017-15088
published 2017-11-23CVE-2017-15088: plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote…
PriorityP349critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
8.37%
94.3th percentile
plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | krb5 | < krb5 1.15.2-2 (bookworm) | krb5 1.15.2-2 (bookworm) |
| mit | kerberos_5 | <= 1.15.2 | — |
| mit | krb5 | >= 0 < 1.15.2-2 | 1.15.2-2 |
| mit | krb5 | >= 0 < 1.15.2-2 | 1.15.2-2 |
| mit | krb5 | >= 0 < 1.15.2-2 | 1.15.2-2 |
| mit | krb5 | >= 0 < 1.15.2-2 | 1.15.2-2 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3jq7-j743-cxfp: plugins/preauth/pkinit/pkinit_crypto_openssl
ghsa_unreviewed·2022-05-13
CVE-2017-15088 [CRITICAL] CWE-119 GHSA-3jq7-j743-cxfp: plugins/preauth/pkinit/pkinit_crypto_openssl
plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.
OSV
CVE-2017-15088: plugins/preauth/pkinit/pkinit_crypto_openssl
osv·2017-11-23·CVSS 9.8
CVE-2017-15088 [CRITICAL] CVE-2017-15088: plugins/preauth/pkinit/pkinit_crypto_openssl
plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.
Red Hat
krb5: Buffer overflow in get_matching_data()
vendor_redhat·2017-10-25·CVSS 9.8
CVE-2017-15088 [CRITICAL] CWE-121 krb5: Buffer overflow in get_matching_data()
krb5: Buffer overflow in get_matching_data()
plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.
A stack based buffer overflow was found in the get_matching_data() function, when reading the principal's certificate during pkinit preauthentication. If the Certifcate Authority's subject line
Debian
CVE-2017-15088: krb5 - plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) thro...
vendor_debian·2017·CVSS 9.8
CVE-2017-15088 [CRITICAL] CVE-2017-15088: krb5 - plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) thro...
plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.
Scope: local
bookworm: resolved (fixed in 1.15.2-2)
bullseye: resolved (fixed in 1.15.2-2)
forky: resolved (fixed in 1.15.2-2)
sid: resolved (fixed in 1.15.2-2)
trixie: resolved (fixed in 1.15.2-2)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-15088 krb5: Buffer overflow in get_matching_data() [fedora-all]
bugzilla·2017-10-26·CVSS 9.8
CVE-2017-15088 [CRITICAL] CVE-2017-15088 krb5: Buffer overflow in get_matching_data() [fedora-all]
CVE-2017-15088 krb5: Buffer overflow in get_matching_data() [fedora-all]
Use the following template to for the 'fedpkg update' request to submit an
update for this issue as it contains the top-level parent bug(s) as well as
this tracking bug. This will ensure that all associated bugs get updated
when new packages are pushed to stable.
# bugfix, security, enhancement, newpackage (required)
type=security
# testing, stable
request=testing
# Bug numbers: 1234,9876
bugs=1504045,1506622
# Description of your update
notes=Security fix for [PUT CVEs HERE]
# Enable request automation based on the stable/unstable karma thresholds
autokarma=True
stable_karma=3
unstable_karma=-3
# Automatically close bugs when this marked as stable
close_bugs=True
# Suggest that users restart after update
sug
Bugzilla
CVE-2017-15088 krb5: Buffer overflow in get_matching_data()
bugzilla·2017-10-19·CVSS 9.8
CVE-2017-15088 [CRITICAL] CVE-2017-15088 krb5: Buffer overflow in get_matching_data()
CVE-2017-15088 krb5: Buffer overflow in get_matching_data()
A buffer overflow vulnerability was found in get_matching_data() function when both the CA cert and the user cert have a long subject affecting krb5 that includes certauth plugin. Attack requires a validated certificate with a long subject and issuer, and a "pkinit_cert_match" string attribute on some principal in the database. A remote code execution exploit might also require that the attacker gets to choose the contents of the issuer in the validated cert.
Bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698
Discussion:
Created krb5 tracking bugs for this issue:
Affects: fedora-all [bug 1506622]
---
Upstream patch:
https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4
---
Statem
http://www.securityfocus.com/bid/101594https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698https://bugzilla.redhat.com/show_bug.cgi?id=1504045https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4https://github.com/krb5/krb5/pull/707http://www.securityfocus.com/bid/101594https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698https://bugzilla.redhat.com/show_bug.cgi?id=1504045https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4https://github.com/krb5/krb5/pull/707
2017-11-23
Published