|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MITKRB5-SA-2010-005
MIT krb5 Security Advisory 2010-005
Original release: 2010-05-18
Topic: GSS-API library null pointer dereference
CVE-2010-1321
CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score: 6.8
Access Vector: Network
Access Complexity: Low
Authentication: Single
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
CVSSv2 Temporal Score: 5.3
Exploitability: Proof-of-Concept
Remediation Level: Official Fix
Report Confidence: Confirmed
SUMMARY
======
Certain invalid GSS-API tokens can cause a GSS-API acceptor (server)
to crash due to a null pointer dereference in the GSS-API library.
This is an implementation vulnerability in MIT krb5, and not a
vulnerability in the Kerberos protocol.
IMPACT
=====
An authenticated remote attacker can cause a GSS-API application
server (including the Kerberos administration daemon kadmind) to crash
by sending a malformed GSS-API token that induces a null pointer
dereference.
AFFECTED SOFTWARE
================
* kadmind and other GSS-API server applications in all known releases
of MIT krb5, up to and including krb5-1.8.1
* third-party GSS-API server applications that link link against the
GSS-API library in all known releases of MIT krb5, up to and
including krb5-1.8.1
* Independent implementations of the krb5 GSS-API mechanism may be
vulnerable, as the underlying bug is based on plausible (but
invalid) assumptions about the Kerberos protocol.
FIXES
====
* The upcoming krb5-1.8.2 release and an upcoming krb5-1.7 series
release will contain a fix for this vulnerability.
* Apply the following patch. The patch was generated against
krb5-1.8.1, but should also apply to krb5-1.7 series releases.
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index ce3075f..6241055 100644
- --- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -607,6 +607,13 @@ kg_accept_krb5(minor_status, context_handle,
}
#endif
+ if (authdat->checksum == NULL) {
+ /* missing checksum counts as "inappropriate type" */
+ code = KRB5KRB_AP_ERR_INAPP_CKSUM;
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+
if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) {
/* Samba does not send 0x8003 GSS-API checksums */
krb5_boolean valid;
This patch is also available at
http://web.mit.edu/kerberos/advisories/2010-005-patch.txt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2010-005-patch.txt.asc
For the krb5-1.6 release:
http://web.mit.edu/kerberos/advisories/2010-005-patch_r16.txt
PGP-signed patch for krb5-1.6:
http://web.mit.edu/kerberos/advisories/2010-005-patch_r16.txt.asc
Earlier releases may require minor porting.
REFERENCES
=========
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-005.txt
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CVSSv2:
http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVE: CVE-2010-1321
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1321
ACKNOWLEDGMENTS
==============
Thanks to Shawn Emery (Oracle) for reporting this vulnerability.
CONTACT
======
The MIT Kerberos Team security contact address is