-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2011-002 MIT krb5 Security Advisory 2011-002 Original release: 2011-02-08 Last update: 2011-02-08 Topic: KDC denial of service attacks CVE-2011-0281: KDC vulnerable to hang when using LDAP back end CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C CVSSv2 Base Score: 7.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.8 Exploitability: High Remediation Level: Official Fix Report Confidence: Confirmed CVE-2011-0282: KDC vulnerable to crash when using LDAP back end CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C CVSSv2 Base Score: 7.8 CVSSv2 Temporal Score: 6.8 CVE-2011-0283: krb5-1.9 KDC vulnerable to crash CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C CVSSv2 Base Score: 7.8 CVSSv2 Temporal Score: 6.8 SUMMARY ======= The MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to denial of service attacks from unauthenticated remote attackers. CVE-2011-0281 and CVE-2011-0282 occur only in KDCs using LDAP back ends, but CVE-2011-0283 occurs in all krb5-1.9 KDCs. Exploit code is not known to exist, but the vulnerabilities are easy to trigger manually. The trigger for CVE-2011-0281 has already been disclosed publicly, but that fact might not be obvious to casual readers of the message in which it was disclosed. The triggers for CVE-2011-0282 and CVE-2011-0283 have not yet been disclosed publicly, but they are also trivial. IMPACT ====== CVE-2011-0281: An unauthenticated remote attacker can cause a KDC configured with an LDAP back end to become completely unresponsive until restarted. CVE-2011-0282: An unauthenticated remote attacker can cause a KDC configured with an LDAP back end to crash with a null pointer dereference. CVE-2011-0283: An unauthenticated remote attacker can cause a krb5-1.9 KDC with any back end to crash with a null pointer dereference. AFFECTED SOFTWARE ================= CVE-2011-0281 and CVE-2011-0282: The KDC in releases krb5-1.6 and later are vulnerable. Earlier releases did not contain the LDAP back end code, and are therefore not vulnerable to these issues. CVE-2011-0283: The KDC in krb5-1.9 is vulnerable. Earlier releases did not contain the bug. FIXES ===== * Workaround: restart the KDC when it becomes unresponsive or crashes, possibly using an automated monitoring process. * The patch for the krb5-1.9 release is available at http://web.mit.edu/kerberos/advisories/2011-002-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2011-002-patch.txt.asc * The patch for the krb5-1.8 and krb5-1.7 releases is at http://web.mit.edu/kerberos/advisories/2011-002-patch-r18.txt For the 1.7 releases, apply the patch ignoring whitespace (use "patch -l"). A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2011-002-patch-r18.txt.asc * The following patch applies to the krb5-1.6 release series. This patch is also available at http://web.mit.edu/kerberos/advisories/2011-002-patch-r16.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2011-002-patch-r16.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html Mailing list message describing the trigger for CVE-2011-0281: http://mailman.mit.edu/pipermail/kerberos/2010-December/016800.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0282 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0283 ACKNOWLEDGMENTS =============== The CVE-2011-0281 issue was discovered by Kevin Longfellow of Oracle Corporation. The CVE-2011-0283 issue was discovered by Zbysek Mraz of Red Hat. CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01] uid MIT Kerberos Team Security Contact pub 2048R/56CD8F76 2010-12-29 [expires: 2012-02-01] uid MIT Kerberos Team Security Contact DETAILS ======= CVE-2011-0281: KDC vulnerable to hang when using LDAP back end The LDAP KDC database back end converts an internal representation of the protocol encoding of a Kerberos principal name into a single C string in order to do a lookup in LDAP. The "unparse" code that does this transformation can produce backslash escape sequences which the LDAP client library rejects during the LDAP lookup. The LDAP KDC database back end loops attempting to reconnect to the LDAP server, but leaks file descriptors while doing so. When the amount of leakage reaches a file descriptor limit (e.g., FD_SETSIZE), the KDC may become unresponsive. One possibility is that having more than FD_SETSIZE open file descriptors causes select() to become incapable of detecting status changes on the newest file descriptor that the KDC uses to communicate with the LDAP server. CVE-2011-0282: KDC vulnerable to crash when using LDAP back end CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C CVSSv2 Base Score: 7.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.8 Exploitability: High Remediation Level: Official Fix Report Confidence: Confirmed The KDC LDAP back end, when testing whether a principal belongs to the default realm, assumes that principal name components are null-terminated and are not null pointers. Both of these assumptions are invalid in the general case, so an attacker could craft a principal name to induce a null pointer dereference or reading beyond the end of a buffer, causing a crash. Data leakage resulting from the overrun is essentially impossible because the read operation is a comparison rather than a copy. CVE-2011-0283: krb5-1.9 KDC vulnerable to crash CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C CVSSv2 Base Score: 7.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.8 Exploitability: High Remediation Level: Official Fix Report Confidence: Confirmed Changes in the KDC network code in the krb5-1.9 release introduced a bug that allows a null pointer dereference, which would cause the KDC to crash. Any request packet that is sufficiently malformed that the KDC would not generate a response packet can trigger this bug. REVISION HISTORY ================ 2011-02-08 original release Copyright (C) 2011 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAk1RlFMACgkQSO8fWy4vZo5GBQCdHjbGW27n3nskeQCzlCkQY1aA H40AnAsI0BTieELwAz8rcshwkocFhSTJ =uL6I -----END PGP SIGNATURE-----