-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MITKRB5-SA-2010-001
MIT krb5 Security Advisory 2010-001
Original release: 2010-02-16
Last update: 2010-02-16
Topic: krb5-1.7 KDC denial of service
CVE-2010-0283
krb5-1.7 KDC denial of service
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:O/RC:C
CVSSv2 Base Score: 7.8
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
CVSSv2 Temporal Score: 6.4
Exploitability: Functional
Remediation Level: Official Fix
Report Confidence: Confirmed
Improper input validation in the KDC can cause an assertion failure
and process termination. A functional exploit exists, but is not
known to be publicly circulated. Releases prior to krb5-1.7 did not
contain the vulnerable code.
This is an implementation vulnerability in MIT krb5, and is not a
vulnerability in the Kerberos protocol.
An unauthenticated remote attacker can send an invalid request to a
KDC process that will cause it to crash due to an assertion failure,
creating a denial of service.
KDC in MIT krb5-1.7 and later
Prerelease (alpha test) code for krb5-1.8 is also vulnerable.
The upcoming krb5-1.7.2 release will contain a fix for this
vulnerability.
The final krb5-1.8 release will contain a fix for this
vulnerability.
For the krb5-1.7 and krb5-1.7.1 releases, apply the following patch:
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 52fbda5…680e6a1 100644
status = "msg_type mismatch";
errcode = KRB5_BADMSGTYPE;
goto errout;
if (request->msg_type != KRB5_TGS_REQ)
return KRB5_BADMSGTYPE;
/*
* setup_server_realm() sets up the global realm-specific data pointer.
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index d88e0cb…2639047 100644
— a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -384,7 +384,7 @@ krb5_error_code kdc_fast_handle_error
krb5_data *encoded_e_data = NULL;
memset(outer_pa, 0, sizeof(outer_pa));
This patch is also available at
http://web.mit.edu/kerberos/advisories/2010-001-patch.txt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2010-001-patch.txt.asc
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-001.txt
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CVSSv2:
http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVE: CVE-2010-0283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0283
Thanks to Emmanuel Bouillon (NATO C3 Agency) for discovering and
reporting this vulnerability.
The MIT Kerberos Team security contact address is
<[email protected]>. When sending sensitive information,
please PGP-encrypt it using the following key:
pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid MIT Kerberos Team Security Contact <[email protected]>
In new code introduced in the KDC for the krb5-1.7 release, code that
handles authorization data (handle_tgt_authdata()) contains a call to
assert() that ensures that the function arguments are consistent with
value of the msg_type field of the request that it is processing.
This assertion can fail because the msg_type can be inconsistent with
the ASN.1 tag that previously-executed code used to choose whether to
process the request as a request for initial tickets (AS-REQ) or as a
request for additional tickets (TGS-REQ).
2010-02-16 original release
Copyright (C) 2010 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)
iEYEARECAAYFAkt66lcACgkQSO8fWy4vZo7I0ACfasGx8aeoSggpGZ+pT9rbcKSj
QJIAoNPvn30+XmGb5Q7nXaAy0jiLIftg
=yYBl
-----END PGP SIGNATURE-----