|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MITKRB5-SA-2010-003
MIT krb5 Security Advisory 2010-003
Original release: 2010-04-06
Last update: 2010-04-06
Topic: denial of service in kadmind in older krb5 releases
CVE-2010-0629
denial of service in kadmind in older krb5 releases
CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score: 6.8
Access Vector: Network
Access Complexity: Low
Authentication: Single
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
CVSSv2 Temporal Score: 5.3
Exploitability: Proof-of-Concept
Remediation Level: Official Fix
Report Confidence: Confirmed
SUMMARY
======
In previous MIT krb5 releases krb5-1.5 through krb5-1.6.3, the
Kerberos administration daemon (kadmind) can crash due to referencing
freed memory. A legitimate user can trigger this crash by using a
newer version of the kadmin protocol than the server supports.
This is an implementation vulnerability in MIT krb5, and not a
vulnerability in the Kerberos protocol. This vulnerability is not
present in modern releases of MIT krb5.
IMPACT
=====
An authenticated remote attacker could crash the Kerberos
administration daemon (kadmind), causing a denial of service.
AFFECTED SOFTWARE
================
* kadmind in MIT releases krb5-1.5 through krb5-1.6.3.
FIXES
====
* The krb5-1.7 release already contains a fix for this vulnerability.
* Apply the patch below. The corresponding SVN revision (r22427) in
our source tree contains additional use-after-free bugfixes; we
believe that it is impractical for an attacker to induce execution
of these sections of code.
Index: src/kadmin/server/server_stubs.c
==================================================================- --- src/kadmin/server/server_stubs.c (revision 22426)
+++ src/kadmin/server/server_stubs.c (revision 22427)
@@ -1628,7 +1628,7 @@
}
if (ret.code != 0)
- - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ errmsg = krb5_get_error_message(NULL, ret.code);
else
errmsg = "success";
This patch is also available at
http://web.mit.edu/kerberos/advisories/2010-003-patch.txt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2010-003-patch.txt.asc
REFERENCES
=========
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
This bug has been public for a while at
http://krbdev.mit.edu/rt/Ticket/Display.html?id=5998
but the security consequence has not been previously widely known.
The security consequence was first made public in a limited context in
the Debian bug found at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567052
CVSSv2:
http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVE: CVE-2010-0629
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0629
ACKNOWLEDGMENTS
==============
Thanks to Sol Jerome for reporting the kadmind crash to Debian.
CONTACT
======
The MIT Kerberos Team security contact address is