CVE-2017-11462

Vulnerability

A double-free vulnerability exists in MIT Kerberos 5 (krb5) versions prior to the commit 56f7b1bc95a2a3eeb420e069e7655fb181ade5cf. The flaw resides in the GSS-API functions gss_init_sec_context() and gss_accept_sec_context(). In cases where an internal security context handle (union_ctx_id->internal_ctx_id) is set to GSS_C_NO_CONTEXT, the code path could free the union context structure while later attempting to use or free it again, leading to a double-free condition [1][3]. This occurs specifically during automatic deletion of security contexts on error, as described in the CVE description.

Exploitation

An attacker does not need prior authentication to trigger the vulnerability. By sending specially crafted GSS-API messages that cause a failure during context initialization or acceptance, the vulnerable code path can be hit [3]. The attacker must be able to establish a network connection to a service using krb5's GSS-API, such as a Kerberized application server. The bug is triggered when the internal context is GSS_C_NO_CONTEXT and the error handling frees the union context, but the context handle may still be used later [1].

Impact

The double-free can lead to memory corruption. While initial analysis suggests the impact is limited to a denial-of-service (crash) in most scenarios [3], in principle an attacker could potentially leverage the memory corruption for arbitrary code execution. The CVSS score of 9.8 (Critical) indicates the potential for full compromise without authentication or user interaction.

Mitigation

The fix was committed to the krb5 repository on 2017-09-13 (commit 56f7b1bc95a2a3eeb420e069e7655fb181ade5cf) [1]. This commit ensures that on failure, the union context is preserved for the caller to delete, preventing the double-free. Users should update to krb5 versions including this commit or later. Red Hat tracked this issue (bug 1488873) and offered fixes for Fedora [3]. No workaround is available other than applying the patch or disabling affected services.