-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2010-002 MIT krb5 Security Advisory 2010-002 Original release: 2010-03-23 Last update: 2010-03-23 Topic: denial of service in SPNEGO CVE-2010-0628 VU#839413 denial of service in SPNEGO CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.1 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= In MIT krb5 releases krb5-1.7 and later, the SPNEGO GSS-API mechanism can experience an assertion failure when receiving certain invalid messages. This can cause a GSS-API application to crash. This is an implementation vulnerability in MIT krb5, and not a vulnerability in the Kerberos protocol. IMPACT ====== An unauthenticated remote attacker could cause a GSS-API application, including the Kerberos administration daemon (kadmind) to crash. AFFECTED SOFTWARE ================= * kadmind in MIT releases krb5-1.7 and later * FTP daemon in MIT releases krb5-1.7 and later * Third-party software using the GSS-API library from MIT krb5 releases krb5-1.7 and later * MIT releases prior to krb5-1.7 did not contain the vulnerable code. FIXES ===== * The upcoming krb5-1.7.2 and krb5-1.8.1 releases will contain fixes for this vulnerability. * Apply the patch available at http://web.mit.edu/kerberos/advisories/2010-002-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2010-002-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-002.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2010-0628 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0628 CERT: VU#839413 http://www.kb.cert.org/vuls/id/839413 ACKNOWLEDGMENTS =============== Thanks to Nalin Dahyabhai, Jan iankko Lieskovsky, and Zbysek Mraz (all from Red Hat) for discovering and reporting this vulnerability. CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01] uid MIT Kerberos Team Security Contact DETAILS ======= A patch to fix CVE-2009-0845 interacted poorly with new functionality introduced in krb5-1.7. This allowed an error condition to occur where receiving an invalid packet could cause an assertion failure, crashing the program and causing denial of service. When the spnego_gss_accept_sec_context() function (in src/lib/gssapi/spnego/spnego_mech.c) receives an invalid packet during the beginning of a GSS-API protocol exchange, it can set some internal state that tells it to send an error token without first creating a context handle, but some subsequently executed code contains a call to assert() that requires that the context handle be non-null. REVISION HISTORY ================ 2010-03-23 original release Copyright (C) 2010 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAkupAZsACgkQSO8fWy4vZo4ETACgn9xRUl3CTCiRd2vF1PBOaQ8b EfUAoPz32NUU/mk+H8kej8fWQFo3iwcZ =LHMP -----END PGP SIGNATURE-----