exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MIT krb5 Security Advisory 2011-001

MIT krb5 Security Advisory 2011-001
Posted Feb 8, 2011
Site web.mit.edu

MIT krb5 Security Advisory 2011-001 - The MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to a denial-of-service attack triggered by invalid network input. If a kpropd worker process receives invalid input that causes it to exit with an abnormal status, it can cause the termination of the listening process that spawned it, preventing the slave KDC it was running on from receiving database updates from the master KDC.

tags | advisory
advisories | CVE-2010-4022
SHA-256 | 7cf25f2ff026501a57cf8c31911a2fe6b46fe68de815df7baaf8ae13556ff833

MIT krb5 Security Advisory 2011-001

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2011-001

MIT krb5 Security Advisory 2011-001
Original release: 2011-02-08
Last update: 2011-02-08

Topic: kpropd denial of service

CVE-2010-4022

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:H/RL:OF/RC:C

CVSSv2 Base Score: 5

Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Partial

CVSSv2 Temporal Score: 4.4

Exploitability: High
Remediation Level: Official Fix
Report Confidence: Confirmed

SUMMARY
=======

The MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to
a denial-of-service attack triggered by invalid network input. If a
kpropd worker process receives invalid input that causes it to exit
with an abnormal status, it can cause the termination of the listening
process that spawned it, preventing the slave KDC it was running on
from receiving database updates from the master KDC.

Exploit code is not known to exist, but the vulnerability is easy to
trigger manually.

IMPACT
======

An unauthenticated remote attacker can cause kpropd running in
standalone mode (the "-S" option) to terminate its listening process,
preventing database propagations to the KDC host on which it was
running. Configurations where kpropd runs in incremental propagation
mode ("iprop") or as an inetd server are not affected.

AFFECTED SOFTWARE
=================

kpropd in releases krb5-1.7 and later are vulnerable. Earlier
releases did not contain the incremental propagation implementation
that inadvertently introduced this problem.

FIXES
=====

* Workaround: if incremental propagation is not configured, run kpropd
as an inetd service.

* Future patch releases for 1.7, 1.8, and 1.9 will contain a fix.

* Apply the patch:

diff -up krb5/src/slave/kpropd.c krb5/src/slave/kpropd.c
- --- krb5/src/slave/kpropd.c 2010-12-17 11:14:26.000000000 -0500
+++ krb5/src/slave/kpropd.c 2010-12-17 11:41:19.000000000 -0500
@@ -404,11 +404,11 @@ retry:
}

close(s);
- - if (iproprole == IPROP_SLAVE)
+ if (iproprole == IPROP_SLAVE) {
close(finet);
- -
- - if ((ret = WEXITSTATUS(status)) != 0)
- - return (ret);
+ if ((ret = WEXITSTATUS(status)) != 0)
+ return (ret);
+ }
}
if (iproprole == IPROP_SLAVE)
break;

This patch is also available at

http://web.mit.edu/kerberos/advisories/2011-001-patch.txt

A PGP-signed patch is available at

http://web.mit.edu/kerberos/advisories/2011-001-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-001.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/index.html

CVSSv2:

http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4022

ACKNOWLEDGMENTS
===============

This issue was discovered by Keiichi Mori of Red Hat.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>. When sending sensitive information,
please PGP-encrypt it using the following key:

pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

pub 2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS
=======

As a result of the changes implementing incremental propagation, the
do_standalone() function in kpropd.c gained a flaw in child process
handling. The do_iprop() function, which implements the bulk of the
incremental propagation capability, may need to receive a full
database dump from the master KDC, and calls do_standalone() with an
iprop_role argument of IPROP_SLAVE to partially emulate the behavior
of an ordinary (non-incremental) kpropd. Unlike in earlier versions
of kpropd, do_standalone() returns the child's exit status (and thus
ceases accepting connections) if the worker process child exits
abnormally, rather than ignoring it. The correct behavior when
receiving an abnormal exit status from the child process would be to
return from do_standalone() only when invoked from do_iprop().

REVISION HISTORY
================

2011-02-08 original release

Copyright (C) 2010 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk1RlE4ACgkQSO8fWy4vZo6MkACghLz1l0/+aO4hs2iQwlCZBjeR
v7EAoNHYLVApbjrLTEKNsHLXXAjTIfWb
=2W7G
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close