|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MITKRB5-SA-2009-003
MIT krb5 Security Advisory 2009-003
Original release: 2009-12-28
Last update: 2009-12-28
Topic: KDC denial of service in cross-realm referral processing
CVE-2009-3295
KDC denial of service in cross-realm referral processing
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score: 7.8
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
CVSSv2 Temporal Score: 6.1
Exploitability: Proof-of-Concept
Remediation Level: Official Fix
Report Confidence: Confirmed
SUMMARY
======
A null pointer dereference can occur in an error condition in the KDC
cross-realm referral processing code in MIT krb5-1.7. This can cause
the KDC to crash.
This is an implementation vulnerability in MIT krb5, and is not a
vulnerability in the Kerberos protocol.
IMPACT
=====
An unauthenticated remote attacker could cause the KDC to crash due to
a null pointer dereference. Legitimate requests can also cause this
crash to occur.
AFFECTED SOFTWARE
================
* MIT krb5 release krb5-1.7. Earlier releases did not contain the
functionality implemented by the vulnerable code.
FIXES
====
* Upgrade: The upcoming krb5-1.7.1 release will contain a fix for this
vulnerability.
* Workaround: Disable the realm referral capability by using the
"no_host_referral = *" setting, e.g.
[kdcdefaults]
no_host_referral = *
or
[realms]
EXAMPLE.COM = {
# ... other configuration settings ...
no_host_referral = *
}
* Apply the patch:
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 298e132..12180ff 100644
- --- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1158,7 +1158,7 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
free(temp_buf);
if (retval) {
/* no match found */
- - kdc_err(kdc_context, retval, 0);
+ kdc_err(kdc_context, retval, "unable to find realm of host");
goto cleanup;
}
if (realms == 0) {
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
index efff818..ef3735a 100644
- --- a/src/lib/kadm5/logger.c
+++ b/src/lib/kadm5/logger.c
@@ -188,6 +188,9 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list
char *cp;
char *syslogp;
+ if (whoami == NULL || format == NULL)
+ return;
+
/* Make the header */
snprintf(outbuf, sizeof(outbuf), "%s: ", whoami);
/*
This patch is also available at
http://web.mit.edu/kerberos/advisories/2009-003-patch.txt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2009-003-patch.txt.asc
REFERENCES
=========
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-003.txt
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CVSSv2:
http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVE: CVE-2009-3295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3295
ACKNOWLEDGMENTS
==============
This issue was independently discovered by Jeff Blaine, Radoslav Bodo,
Jakob Haufe, and Jorgen Wahlsten.
CONTACT
======
The MIT Kerberos Team security contact address is