what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MIT krb5 Security Advisory 2009-003

MIT krb5 Security Advisory 2009-003
Posted Dec 30, 2009
Site web.mit.edu

MIT krb5 Security Advisory 2009-003 - A null pointer dereference can occur in an error condition in the KDC cross-realm referral processing code in MIT krb5-1.7. This can cause the KDC to crash. This is an implementation vulnerability in MIT krb5, and is not a vulnerability in the Kerberos protocol.

tags | advisory, protocol
advisories | CVE-2009-3295
SHA-256 | 492697d164ff8839715b475976bfa5ce3d9f4e7467ed101685ba6316dbd549a1

MIT krb5 Security Advisory 2009-003

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2009-003

MIT krb5 Security Advisory 2009-003
Original release: 2009-12-28
Last update: 2009-12-28

Topic: KDC denial of service in cross-realm referral processing

CVE-2009-3295
KDC denial of service in cross-realm referral processing

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score: 7.8

Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete

CVSSv2 Temporal Score: 6.1

Exploitability: Proof-of-Concept
Remediation Level: Official Fix
Report Confidence: Confirmed

SUMMARY
=======

A null pointer dereference can occur in an error condition in the KDC
cross-realm referral processing code in MIT krb5-1.7. This can cause
the KDC to crash.

This is an implementation vulnerability in MIT krb5, and is not a
vulnerability in the Kerberos protocol.

IMPACT
======

An unauthenticated remote attacker could cause the KDC to crash due to
a null pointer dereference. Legitimate requests can also cause this
crash to occur.

AFFECTED SOFTWARE
=================

* MIT krb5 release krb5-1.7. Earlier releases did not contain the
functionality implemented by the vulnerable code.

FIXES
=====

* Upgrade: The upcoming krb5-1.7.1 release will contain a fix for this
vulnerability.

* Workaround: Disable the realm referral capability by using the
"no_host_referral = *" setting, e.g.

[kdcdefaults]
no_host_referral = *

or

[realms]
EXAMPLE.COM = {
# ... other configuration settings ...
no_host_referral = *
}

* Apply the patch:

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 298e132..12180ff 100644
- --- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1158,7 +1158,7 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
free(temp_buf);
if (retval) {
/* no match found */
- - kdc_err(kdc_context, retval, 0);
+ kdc_err(kdc_context, retval, "unable to find realm of host");
goto cleanup;
}
if (realms == 0) {
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
index efff818..ef3735a 100644
- --- a/src/lib/kadm5/logger.c
+++ b/src/lib/kadm5/logger.c
@@ -188,6 +188,9 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list
char *cp;
char *syslogp;

+ if (whoami == NULL || format == NULL)
+ return;
+
/* Make the header */
snprintf(outbuf, sizeof(outbuf), "%s: ", whoami);
/*

This patch is also available at

http://web.mit.edu/kerberos/advisories/2009-003-patch.txt

A PGP-signed patch is available at

http://web.mit.edu/kerberos/advisories/2009-003-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-003.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/index.html

CVSSv2:

http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2009-3295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3295

ACKNOWLEDGMENTS
===============

This issue was independently discovered by Jeff Blaine, Radoslav Bodo,
Jakob Haufe, and Jorgen Wahlsten.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>. When sending sensitive information,
please PGP-encrypt it using the following key:

pub 2048R/D9058C24 2009-01-26 [expires: 2010-02-01]
uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS
=======

A null pointer dereference exists in new functionality added in
krb5-1.7. This new functionality produces cross-realm referrals when
a client requests a ticket for a host-based service principal name.
Under certain error conditions, the function prep_reprocess_req() in
do_tgs_req.c calls the kdc_err() function with a null pointer as the
format string, which other code proceeds to dereference, causing a
crash on most platforms.

REVISION HISTORY
================

2009-12-28 original release

Copyright (C) 2009 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAks4/nkACgkQSO8fWy4vZo4UXQCg9S3XiGnhe7RQJLVOVzHXMw7P
voUAoOIuyQQOuEBbUIlPbv61cfx7XTtc
=C/Nd
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close