|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 6889 CVE : CVE-2009-3295 CWE : CWE-119 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : No Victim interaction required : No Exploit Available : No Credit : Jeff Blaine, Radoslav Bodo, Jakob Haufe, and Jorgen Wahlsten Published : 30.12.2009
Advisory Content : -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2009-003 MIT krb5 Security Advisory 2009-003 Original release: 2009-12-28 Last update: 2009-12-28 Topic: KDC denial of service in cross-realm referral processing CVE-2009-3295 KDC denial of service in cross-realm referral processing CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.1 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= A null pointer dereference can occur in an error condition in the KDC cross-realm referral processing code in MIT krb5-1.7. This can cause the KDC to crash. This is an implementation vulnerability in MIT krb5, and is not a vulnerability in the Kerberos protocol. IMPACT ====== An unauthenticated remote attacker could cause the KDC to crash due to a null pointer dereference. Legitimate requests can also cause this crash to occur. AFFECTED SOFTWARE ================= * MIT krb5 release krb5-1.7. Earlier releases did not contain the functionality implemented by the vulnerable code. FIXES ===== * Upgrade: The upcoming krb5-1.7.1 release will contain a fix for this vulnerability. * Workaround: Disable the realm referral capability by using the "no_host_referral = *" setting, e.g. [kdcdefaults] no_host_referral = * or [realms] EXAMPLE.COM = { # ... other configuration settings ... no_host_referral = * } * Apply the patch: diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 298e132..12180ff 100644 - --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -1158,7 +1158,7 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) free(temp_buf); if (retval) { /* no match found */ - - kdc_err(kdc_context, retval, 0); + kdc_err(kdc_context, retval, "unable to find realm of host"); goto cleanup; } if (realms == 0) { diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c index efff818..ef3735a 100644 - --- a/src/lib/kadm5/logger.c +++ b/src/lib/kadm5/logger.c @@ -188,6 +188,9 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list char *cp; char *syslogp; + if (whoami == NULL || format == NULL) + return; + /* Make the header */ snprintf(outbuf, sizeof(outbuf), "%s: ", whoami); /* This patch is also available at http://web.mit.edu/kerberos/advisories/2009-003-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2009-003-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-003.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2009-3295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3295 ACKNOWLEDGMENTS =============== This issue was independently discovered by Jeff Blaine, Radoslav Bodo, Jakob Haufe, and Jorgen Wahlsten. CONTACT ======= The MIT Kerberos Team security contact address is <krbcore-security (at) mit (dot) edu [email concealed]>. When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/D9058C24 2009-01-26 [expires: 2010-02-01] uid MIT Kerberos Team Security Contact <krbcore-security (at) mit (dot) edu [email concealed]> DETAILS ======= A null pointer dereference exists in new functionality added in krb5-1.7. This new functionality produces cross-realm referrals when a client requests a ticket for a host-based service principal name. Under certain error conditions, the function prep_reprocess_req() in do_tgs_req.c calls the kdc_err() function with a null pointer as the format string, which other code proceeds to dereference, causing a crash on most platforms. REVISION HISTORY ================ 2009-12-28 original release Copyright (C) 2009 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAks4/nkACgkQSO8fWy4vZo4UXQCg9S3XiGnhe7RQJLVOVzHXMw7P voUAoOIuyQQOuEBbUIlPbv61cfx7XTtc =C/Nd -----END PGP SIGNATURE----- References : http://www.vupen.com/english/advisories/2009/3652
http://www.securityfocus.com/bid/37486
http://www.securityfocus.com/archive/1/archive/1/508622/100/0/threaded
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-003.txt
http://securitytracker.com/id?1023392
http://secunia.com/advisories/37977  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Allow attacker to denial of service apache 2.2.17 server |
||
| Apache |  |
|
| PHP | |
|
» libzip 0.9.3 |
||
| ADT | ||
Protect your family and valuables with Home Security Systems |
||
- 2011-05-13| Copyright © SecurityReason.com. All Rights Reserved. |