exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MIT krb5 Security Advisory 2010-001

MIT krb5 Security Advisory 2010-001
Posted Feb 16, 2010
Site web.mit.edu

MIT krb5 Security Advisory 2010-001 - Improper input validation in the KDC can cause an assertion failure and process termination. A functional exploit exists, but is not known to be publicly circulated. Releases prior to krb5-1.7 did not contain the vulnerable code. This is an implementation vulnerability in MIT krb5, and is not a vulnerability in the Kerberos protocol.

tags | advisory, protocol
advisories | CVE-2010-0283
SHA-256 | b1bd884f089b3170c3a079bd0375feef10cfbc74b302004b3d4841a87c15c4b9

MIT krb5 Security Advisory 2010-001

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2010-001

MIT krb5 Security Advisory 2010-001
Original release: 2010-02-16
Last update: 2010-02-16

Topic: krb5-1.7 KDC denial of service

CVE-2010-0283
krb5-1.7 KDC denial of service

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:O/RC:C

CVSSv2 Base Score: 7.8

Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete

CVSSv2 Temporal Score: 6.4

Exploitability: Functional
Remediation Level: Official Fix
Report Confidence: Confirmed

SUMMARY
=======

Improper input validation in the KDC can cause an assertion failure
and process termination. A functional exploit exists, but is not
known to be publicly circulated. Releases prior to krb5-1.7 did not
contain the vulnerable code.

This is an implementation vulnerability in MIT krb5, and is not a
vulnerability in the Kerberos protocol.

IMPACT
======

An unauthenticated remote attacker can send an invalid request to a
KDC process that will cause it to crash due to an assertion failure,
creating a denial of service.

AFFECTED SOFTWARE
=================

* KDC in MIT krb5-1.7 and later

* Prerelease (alpha test) code for krb5-1.8 is also vulnerable.

FIXES
=====

* The upcoming krb5-1.7.2 release will contain a fix for this
vulnerability.

* The final krb5-1.8 release will contain a fix for this
vulnerability.

* For the krb5-1.7 and krb5-1.7.1 releases, apply the following patch:

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 52fbda5..680e6a1 100644
- --- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -137,6 +137,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
session_key.contents = 0;
enc_tkt_reply.authorization_data = NULL;

+ if (request->msg_type != KRB5_AS_REQ) {
+ status = "msg_type mismatch";
+ errcode = KRB5_BADMSGTYPE;
+ goto errout;
+ }
errcode = kdc_make_rstate(&state);
if (errcode != 0) {
status = "constructing state";
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 12180ff..c8cf692 100644
- --- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -135,6 +135,8 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
retval = decode_krb5_tgs_req(pkt, &request);
if (retval)
return retval;
+ if (request->msg_type != KRB5_TGS_REQ)
+ return KRB5_BADMSGTYPE;

/*
* setup_server_realm() sets up the global realm-specific data pointer.
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index d88e0cb..2639047 100644
- --- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -384,7 +384,7 @@ krb5_error_code kdc_fast_handle_error
krb5_data *encoded_e_data = NULL;

memset(outer_pa, 0, sizeof(outer_pa));
- - if (!state->armor_key)
+ if (!state || !state->armor_key)
return 0;
fx_error = *err;
fx_error.e_data.data = NULL;



This patch is also available at

http://web.mit.edu/kerberos/advisories/2010-001-patch.txt

A PGP-signed patch is available at

http://web.mit.edu/kerberos/advisories/2010-001-patch.txt.asc


* The above patch will apply to krb5-1.8 prerelease code if whitespace
is ignored.

REFERENCES
==========

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-001.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/index.html

CVSSv2:

http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2010-0283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0283

ACKNOWLEDGMENTS
===============

Thanks to Emmanuel Bouillon (NATO C3 Agency) for discovering and
reporting this vulnerability.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>. When sending sensitive information,
please PGP-encrypt it using the following key:

pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS
=======

In new code introduced in the KDC for the krb5-1.7 release, code that
handles authorization data (handle_tgt_authdata()) contains a call to
assert() that ensures that the function arguments are consistent with
value of the msg_type field of the request that it is processing.
This assertion can fail because the msg_type can be inconsistent with
the ASN.1 tag that previously-executed code used to choose whether to
process the request as a request for initial tickets (AS-REQ) or as a
request for additional tickets (TGS-REQ).

REVISION HISTORY
================

2010-02-16 original release

Copyright (C) 2010 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAkt66lcACgkQSO8fWy4vZo7I0ACfasGx8aeoSggpGZ+pT9rbcKSj
QJIAoNPvn30+XmGb5Q7nXaAy0jiLIftg
=yYBl
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close