-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2009-003 MIT krb5 Security Advisory 2009-003 Original release: 2009-12-28 Last update: 2010-01-04 Topic: KDC denial of service in cross-realm referral processing CVE-2009-3295 KDC denial of service in cross-realm referral processing CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 6.8 Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 5.3 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= A null pointer dereference can occur in an error condition in the KDC cross-realm referral processing code first introduced in MIT krb5-1.7. This can cause the KDC to crash. This is an implementation vulnerability in MIT krb5, and is not a vulnerability in the Kerberos protocol. IMPACT ====== An authenticated remote attacker could cause the KDC to crash due to a null pointer dereference. (Authentication via cross-realm Kerberos may be sufficient.) Legitimate requests can also cause this crash to occur. AFFECTED SOFTWARE ================= * MIT krb5 release krb5-1.7. Earlier releases did not contain the functionality implemented by the vulnerable code. FIXES ===== * Upgrade: The upcoming krb5-1.7.1 release will contain a fix for this vulnerability. * Workaround: Disable the realm referral capability by using the "no_host_referral = *" setting, e.g. [kdcdefaults] no_host_referral = * or [realms] EXAMPLE.COM = { # ... other configuration settings ... no_host_referral = * } * Apply the patch: diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 298e132..12180ff 100644 - --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -1158,7 +1158,7 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) free(temp_buf); if (retval) { /* no match found */ - - kdc_err(kdc_context, retval, 0); + kdc_err(kdc_context, retval, "unable to find realm of host"); goto cleanup; } if (realms == 0) { diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c index efff818..ef3735a 100644 - --- a/src/lib/kadm5/logger.c +++ b/src/lib/kadm5/logger.c @@ -188,6 +188,9 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list char *cp; char *syslogp; + if (whoami == NULL || format == NULL) + return; + /* Make the header */ snprintf(outbuf, sizeof(outbuf), "%s: ", whoami); /* This patch is also available at http://web.mit.edu/kerberos/advisories/2009-003-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2009-003-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-003.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2009-3295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3295 ACKNOWLEDGMENTS =============== This issue was independently discovered by Jeff Blaine, Radoslav Bodo, Jakob Haufe, and Jorgen Wahlsten. CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/D9058C24 2009-01-26 [expires: 2010-02-01] uid MIT Kerberos Team Security Contact DETAILS ======= A null pointer dereference exists in new functionality added in krb5-1.7. This new functionality produces cross-realm referrals when a client requests a ticket for a host-based service principal name. Under certain error conditions, the function prep_reprocess_req() in do_tgs_req.c calls the kdc_err() function with a null pointer as the format string, which other code proceeds to dereference, causing a crash on most platforms. REVISION HISTORY ================ 2010-01-04 correction: authentication required for attack 2009-12-28 original release Copyright (C) 2009 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAktCo9UACgkQSO8fWy4vZo4jPgCbBukzAqldRvlGSGtw2pa/yEe/ D8oAnR1UHEeC0iAAc1LMH2mmtiV01kXT =ntip -----END PGP SIGNATURE-----