CVE CyberSecurity Database News

CVE-2024-26461 - Understanding the Kerberos 5 (krb5) 1.21.2 Memory Leak Vulnerability in k5sealv3.c

Poster -

In March 2024, a new vulnerability (CVE-2024-26461) was identified in the popular authentication protocol, Kerberos 5 (krb5), specifically affecting version 1.21.2. This security flaw, discovered in the k5sealv3.c source file of the krb5 library, is a memory leak issue that could pose risks in high-load or long-running environments. In this post, we break down what this means, show you the problematic code, describe possible exploits, and guide you to the most relevant technical resources.

What is CVE-2024-26461?

CVE-2024-26461 is a memory leak vulnerability found in the MIT Kerberos 5 (krb5) implementation. The bug resides in the k5sealv3.c file inside the krb5 GSSAPI library. Under certain conditions, calling the GSSAPI wrap functions may fail to free allocated memory, leading to a slow but repeatable memory leak.

What is a memory leak?

A memory leak happens when a program allocates memory to use, but then fails to get rid of it when it's no longer needed. Over time, this "lost" memory accumulates, which cripples performance or causes a process to run out of memory and crash.

Mit Kerberos 5: Version 1.21.2 (and possibly earlier versions)

- Systems: Any application or service using krb5's GSSAPI implementation under heavy or repeated authentication load. This includes Linux servers, Active Directory integrations, and more.
- Impact: Attackers or even regular users could trigger the leak by repeatedly calling the affected GSSAPI functions. In large-scale deployments, this may lead to service disruption or unexpected reboots.

Details: Where is the Bug?

The problem is in the krb5 library's GSSAPI v3 sealing mechanism, housed in this file:
/krb5/src/lib/gssapi/krb5/k5sealv3.c

Within this file, one of the functions does not correctly release memory after certain failure conditions.

Vulnerable Code Snippet

Below is a simplified example resembling the kind of leak that occurs (for illustration; actual lines may differ):

OM_uint32 k5sealv3_wrap(
    OM_uint32 *minor_status,
    gss_ctx_id_t context_handle,
    // ... other params ...
) {
    unsigned char *buffer = NULL;
    OM_uint32 ret;
    
    buffer = malloc(BUFFER_SIZE);
    if (buffer == NULL) {
        *minor_status = ENOMEM;
        return GSS_S_FAILURE;
    }
    
    ret = perform_encryption(context_handle, buffer, ...);
    if (ret != ) {
        // Oops! Missing free(buffer) here
        *minor_status = ret;
        return GSS_S_FAILURE;
    }
    
    // ... success path ...
    free(buffer);
    return GSS_S_COMPLETE;
}

Problem:
If perform_encryption() fails, the code returns early without freeing the allocated buffer, causing a memory leak.

How Can It Be Exploited?

This memory leak isn't a traditional 'remote code execution' or 'privilege escalation' bug. But, it can be exploited for denial-of-service (DoS):

- Any process (or user) allowed to call the GSSAPI wrap (seal) function could repeat the operation with intentionally bad parameters.

Each failure allocates a bit of memory and never frees it.

- Over thousands or millions of calls, the process will gobble up all its available memory, potentially crashing the server or application.

Here’s an abstracted exploit outline in C

for (int i = ; i < 100000; ++i) {
    OM_uint32 minor;
    gss_buffer_desc input = {}; // Empty/bad buffer triggers error
    gss_buffer_desc output = {};

    // Call the vulnerable wrap function
    OM_uint32 ret = gss_wrap(&minor, ctx, , , &input, , &output);
    
    // leak occurs on failure, no matter what the user does with output
}

Run this in a loop and watch the process's memory usage climb.

- CVE Record for CVE-2024-26461
- MIT krb5 Official Site
- krb5 commit fixing the leak (GitHub reference)
- GSSAPI API Documentation

Isolation: If possible, restrict access to GSSAPI functions from untrusted users or processes.

- Apply Defense-in-Depth: Use OS-level resource limits (e.g., Linux ulimit) to mitigate unlimited leaks.

Conclusion

CVE-2024-26461 highlights how even small programming errors like missed free() calls can pose serious threats in critical software like Kerberos. If your infrastructure relies on krb5, patch now and monitor your systems for abnormal memory consumption.

References

- CVE-2024-26461 — National Vulnerability Database
- krb5 GitHub Patch Commit
- Kerberos Documentation

Timeline

Published on: 02/29/2024 01:44:18 UTC
Last modified on: 08/14/2024 16:35:10 UTC