[Heimdal-announce] Heimdal 7.4 security release announcement.

Andrew Bartlett abartlet at samba.org
Wed Jul 12 09:41:14 CEST 2017


On Tue, 2017-07-11 at 14:34 -0400, Viktor.Dukhovni at twosigma.com wrote:
> Dear Heimdal Community,
> 
> A team consisting of staff from Two Sigma Open Source and AuriStor are
> pleased to announce the release of Heimdal 7.4.
> 
> The release download page is:
> 
>     https://github.com/heimdal/heimdal/releases/tag/heimdal-7.4.0
> 
> The source tarball can be downloaded from:
> 
>     https://github.com/heimdal/heimdal/releases/download/heimdal-7.4.0/heimdal-7.4.0.tar.gz
>     https://github.com/heimdal/heimdal/releases/download/heimdal-7.4.0/heimdal-7.4.0.tar.gz.sig
> 
>     SHA256(heimdal-7.4.0.tar.gz)= 3de14ecd36ad21c1694a13da347512b047f4010d176fe412820664cb5d1429ad
>     SHA1(heimdal-7.4.0.tar.gz)= e496db36f8a232c3b1aa87a1e08f299b6f8f57a5
> 
> The signature key fingerprint is: E659 41B7 1CF3 C459 A34F  A89C 45E7 572A 28CD 8CC8
> 
> Changes in Heimdal 7.4:
> 
>  Security
> 
>  - Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
> 
>    This is a critical vulnerability.
> 
>    In _krb5_extract_ticket() the KDC-REP service name must be obtained from
>    encrypted version stored in 'enc_part' instead of the unencrypted version
>    stored in 'ticket'.  Use of the unecrypted version provides an
>    opportunity for successful server impersonation and other attacks.
> 
>    Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
> 
>    See https://www.orpheus-lyre.info/ for more details.

Are there any tests for this yet?

I need to port this to a much older release of Samba, and while it
appears to cleanly apply, we have some custom code setting some of the
flags on:
    /*
     * HACK:
     * this is really a ugly hack, to support using the Netbios Domain
Name
     * as realm against windows KDC's, they always return the full
realm
     * based on the DNS Name.
     */
    flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
    flags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;

I plan to write some tests in Samba's test framework, which allows
manipulation of the 'wire' packets via the send_to_kdc handler. 

Our bug for this is https://bugzilla.samba.org/show_bug.cgi?id=12894

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



More information about the Heimdal-discuss mailing list