-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2010-001 MIT krb5 Security Advisory 2010-001 Original release: 2010-02-16 Last update: 2010-02-16 Topic: krb5-1.7 KDC denial of service CVE-2010-0283 krb5-1.7 KDC denial of service CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:O/RC:C CVSSv2 Base Score: 7.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.4 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= Improper input validation in the KDC can cause an assertion failure and process termination. A functional exploit exists, but is not known to be publicly circulated. Releases prior to krb5-1.7 did not contain the vulnerable code. This is an implementation vulnerability in MIT krb5, and is not a vulnerability in the Kerberos protocol. IMPACT ====== An unauthenticated remote attacker can send an invalid request to a KDC process that will cause it to crash due to an assertion failure, creating a denial of service. AFFECTED SOFTWARE ================= * KDC in MIT krb5-1.7 and later * Prerelease (alpha test) code for krb5-1.8 is also vulnerable. FIXES ===== * The upcoming krb5-1.7.2 release will contain a fix for this vulnerability. * The final krb5-1.8 release will contain a fix for this vulnerability. * For the krb5-1.7 and krb5-1.7.1 releases, apply the following patch: diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 52fbda5..680e6a1 100644 - --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -137,6 +137,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, session_key.contents = 0; enc_tkt_reply.authorization_data = NULL; + if (request->msg_type != KRB5_AS_REQ) { + status = "msg_type mismatch"; + errcode = KRB5_BADMSGTYPE; + goto errout; + } errcode = kdc_make_rstate(&state); if (errcode != 0) { status = "constructing state"; diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 12180ff..c8cf692 100644 - --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -135,6 +135,8 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, retval = decode_krb5_tgs_req(pkt, &request); if (retval) return retval; + if (request->msg_type != KRB5_TGS_REQ) + return KRB5_BADMSGTYPE; /* * setup_server_realm() sets up the global realm-specific data pointer. diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index d88e0cb..2639047 100644 - --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -384,7 +384,7 @@ krb5_error_code kdc_fast_handle_error krb5_data *encoded_e_data = NULL; memset(outer_pa, 0, sizeof(outer_pa)); - - if (!state->armor_key) + if (!state || !state->armor_key) return 0; fx_error = *err; fx_error.e_data.data = NULL; This patch is also available at http://web.mit.edu/kerberos/advisories/2010-001-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2010-001-patch.txt.asc * The above patch will apply to krb5-1.8 prerelease code if whitespace is ignored. REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-001.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2010-0283 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0283 ACKNOWLEDGMENTS =============== Thanks to Emmanuel Bouillon (NATO C3 Agency) for discovering and reporting this vulnerability. CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01] uid MIT Kerberos Team Security Contact DETAILS ======= In new code introduced in the KDC for the krb5-1.7 release, code that handles authorization data (handle_tgt_authdata()) contains a call to assert() that ensures that the function arguments are consistent with value of the msg_type field of the request that it is processing. This assertion can fail because the msg_type can be inconsistent with the ASN.1 tag that previously-executed code used to choose whether to process the request as a request for initial tickets (AS-REQ) or as a request for additional tickets (TGS-REQ). REVISION HISTORY ================ 2010-02-16 original release Copyright (C) 2010 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAkt66lcACgkQSO8fWy4vZo7I0ACfasGx8aeoSggpGZ+pT9rbcKSj QJIAoNPvn30+XmGb5Q7nXaAy0jiLIftg =yYBl -----END PGP SIGNATURE-----