krb5-1.7 KDC denial of service

Advisory Content :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2010-001

MIT krb5 Security Advisory 2010-001
Original release: 2010-02-16
Last update: 2010-02-16

Topic: krb5-1.7 KDC denial of service

CVE-2010-0283
krb5-1.7 KDC denial of service

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:O/RC:C

CVSSv2 Base Score: 7.8

Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete

CVSSv2 Temporal Score: 6.4

Exploitability: Functional
Remediation Level: Official Fix
Report Confidence: Confirmed

SUMMARY
=======

Improper input validation in the KDC can cause an assertion failure
and process termination. A functional exploit exists, but is not
known to be publicly circulated. Releases prior to krb5-1.7 did not
contain the vulnerable code.

This is an implementation vulnerability in MIT krb5, and is not a
vulnerability in the Kerberos protocol.

IMPACT
======

An unauthenticated remote attacker can send an invalid request to a
KDC process that will cause it to crash due to an assertion failure,
creating a denial of service.

AFFECTED SOFTWARE
=================

* KDC in MIT krb5-1.7 and later

* Prerelease (alpha test) code for krb5-1.8 is also vulnerable.

FIXES
=====

* The upcoming krb5-1.7.2 release will contain a fix for this
vulnerability.

* The final krb5-1.8 release will contain a fix for this
vulnerability.

* For the krb5-1.7 and krb5-1.7.1 releases, apply the following patch:

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 52fbda5..680e6a1 100644
- --- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -137,6 +137,11 @@ process_as_req(krb5_kdc_req *request, krb5_data
*req_pkt,
session_key.contents = 0;
enc_tkt_reply.authorization_data = NULL;

+ if (request->msg_type != KRB5_AS_REQ) {
+ status = "msg_type mismatch";
+ errcode = KRB5_BADMSGTYPE;
+ goto errout;
+ }
errcode = kdc_make_rstate(&state);
if (errcode != 0) {
status = "constructing state";
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 12180ff..c8cf692 100644
- --- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -135,6 +135,8 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr
*from,
retval = decode_krb5_tgs_req(pkt, &request);
if (retval)
return retval;
+ if (request->msg_type != KRB5_TGS_REQ)
+ return KRB5_BADMSGTYPE;

/*
* setup_server_realm() sets up the global realm-specific data
pointer.
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index d88e0cb..2639047 100644
- --- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -384,7 +384,7 @@ krb5_error_code kdc_fast_handle_error
krb5_data *encoded_e_data = NULL;

memset(outer_pa, 0, sizeof(outer_pa));
- - if (!state->armor_key)
+ if (!state || !state->armor_key)
return 0;
fx_error = *err;
fx_error.e_data.data = NULL;

This patch is also available at

http://web.mit.edu/kerberos/advisories/2010-001-patch.txt

A PGP-signed patch is available at

http://web.mit.edu/kerberos/advisories/2010-001-patch.txt.asc

* The above patch will apply to krb5-1.8 prerelease code if whitespace
is ignored.

REFERENCES
==========

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-001.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/index.html

CVSSv2:

http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2010-0283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0283

ACKNOWLEDGMENTS
===============

Thanks to Emmanuel Bouillon (NATO C3 Agency) for discovering and
reporting this vulnerability.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security (at) mit (dot) edu [email concealed]>. When sending
sensitive information,
please PGP-encrypt it using the following key:

pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid MIT Kerberos Team Security Contact <krbcore-security (at) mit (dot)
edu [email concealed]>

DETAILS
=======

In new code introduced in the KDC for the krb5-1.7 release, code that
handles authorization data (handle_tgt_authdata()) contains a call to
assert() that ensures that the function arguments are consistent with
value of the msg_type field of the request that it is processing.
This assertion can fail because the msg_type can be inconsistent with
the ASN.1 tag that previously-executed code used to choose whether to
process the request as a request for initial tickets (AS-REQ) or as a
request for additional tickets (TGS-REQ).

REVISION HISTORY
================

2010-02-16 original release

Copyright (C) 2010 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAkt66lcACgkQSO8fWy4vZo7I0ACfasGx8aeoSggpGZ+pT9rbcKSj
QJIAoNPvn30+XmGb5Q7nXaAy0jiLIftg
=yYBl
-----END PGP SIGNATURE-----

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason