Date: 17 February 2010
References: ESB-2010.0536 ESB-2010.0189
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0164
MIT krb5 Security Advisory 2010-001
17 February 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: krb5-1.7
Publisher: MIT Kerberos Team
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Mitigation
CVE Names: CVE-2010-0283
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MITKRB5-SA-2010-001
MIT krb5 Security Advisory 2010-001
Original release: 2010-02-16
Last update: 2010-02-16
Topic: krb5-1.7 KDC denial of service
CVE-2010-0283
krb5-1.7 KDC denial of service
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:O/RC:C
CVSSv2 Base Score: 7.8
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
CVSSv2 Temporal Score: 6.4
Exploitability: Functional
Remediation Level: Official Fix
Report Confidence: Confirmed
SUMMARY
=======
Improper input validation in the KDC can cause an assertion failure
and process termination. A functional exploit exists, but is not
known to be publicly circulated. Releases prior to krb5-1.7 did not
contain the vulnerable code.
This is an implementation vulnerability in MIT krb5, and is not a
vulnerability in the Kerberos protocol.
IMPACT
======
An unauthenticated remote attacker can send an invalid request to a
KDC process that will cause it to crash due to an assertion failure,
creating a denial of service.
AFFECTED SOFTWARE
=================
* KDC in MIT krb5-1.7 and later
* Prerelease (alpha test) code for krb5-1.8 is also vulnerable.
FIXES
=====
* The upcoming krb5-1.7.2 release will contain a fix for this
vulnerability.
* The final krb5-1.8 release will contain a fix for this
vulnerability.
* For the krb5-1.7 and krb5-1.7.1 releases, apply the following patch:
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 52fbda5..680e6a1 100644
- - --- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -137,6 +137,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
session_key.contents = 0;
enc_tkt_reply.authorization_data = NULL;
+ if (request->msg_type != KRB5_AS_REQ) {
+ status = "msg_type mismatch";
+ errcode = KRB5_BADMSGTYPE;
+ goto errout;
+ }
errcode = kdc_make_rstate(&state);
if (errcode != 0) {
status = "constructing state";
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 12180ff..c8cf692 100644
- - --- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -135,6 +135,8 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
retval = decode_krb5_tgs_req(pkt, &request);
if (retval)
return retval;
+ if (request->msg_type != KRB5_TGS_REQ)
+ return KRB5_BADMSGTYPE;
/*
* setup_server_realm() sets up the global realm-specific data pointer.
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index d88e0cb..2639047 100644
- - --- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -384,7 +384,7 @@ krb5_error_code kdc_fast_handle_error
krb5_data *encoded_e_data = NULL;
memset(outer_pa, 0, sizeof(outer_pa));
- - - if (!state->armor_key)
+ if (!state || !state->armor_key)
return 0;
fx_error = *err;
fx_error.e_data.data = NULL;
This patch is also available at
http://web.mit.edu/kerberos/advisories/2010-001-patch.txt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2010-001-patch.txt.asc
* The above patch will apply to krb5-1.8 prerelease code if whitespace
is ignored.
REFERENCES
==========
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-001.txt
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CVSSv2:
http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVE: CVE-2010-0283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0283
ACKNOWLEDGMENTS
===============
Thanks to Emmanuel Bouillon (NATO C3 Agency) for discovering and
reporting this vulnerability.
CONTACT
=======
The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>. When sending sensitive information,
please PGP-encrypt it using the following key:
pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu>
DETAILS
=======
In new code introduced in the KDC for the krb5-1.7 release, code that
handles authorization data (handle_tgt_authdata()) contains a call to
assert() that ensures that the function arguments are consistent with
value of the msg_type field of the request that it is processing.
This assertion can fail because the msg_type can be inconsistent with
the ASN.1 tag that previously-executed code used to choose whether to
process the request as a request for initial tickets (AS-REQ) or as a
request for additional tickets (TGS-REQ).
REVISION HISTORY
================
2010-02-16 original release
Copyright (C) 2010 Massachusetts Institute of Technology
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)
iEYEARECAAYFAkt66lcACgkQSO8fWy4vZo7I0ACfasGx8aeoSggpGZ+pT9rbcKSj
QJIAoNPvn30+XmGb5Q7nXaAy0jiLIftg
=yYBl
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFLe1mi/iFOrG6YcBERAmK3AJ9GmO8slM1s/gBiOgxgxxqgYPWL7gCfaXxe
ZEQYAlgFrfLS+BEXRgaOxE8=
=ws1d
-----END PGP SIGNATURE-----
|