-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2011-001 MIT krb5 Security Advisory 2011-001 Original release: 2011-02-08 Last update: 2011-02-08 Topic: kpropd denial of service CVE-2010-4022 CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:H/RL:OF/RC:C CVSSv2 Base Score: 5 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial CVSSv2 Temporal Score: 4.4 Exploitability: High Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= The MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to a denial-of-service attack triggered by invalid network input. If a kpropd worker process receives invalid input that causes it to exit with an abnormal status, it can cause the termination of the listening process that spawned it, preventing the slave KDC it was running on from receiving database updates from the master KDC. Exploit code is not known to exist, but the vulnerability is easy to trigger manually. IMPACT ====== An unauthenticated remote attacker can cause kpropd running in standalone mode (the "-S" option) to terminate its listening process, preventing database propagations to the KDC host on which it was running. Configurations where kpropd runs in incremental propagation mode ("iprop") or as an inetd server are not affected. AFFECTED SOFTWARE ================= kpropd in releases krb5-1.7 and later are vulnerable. Earlier releases did not contain the incremental propagation implementation that inadvertently introduced this problem. FIXES ===== * Workaround: if incremental propagation is not configured, run kpropd as an inetd service. * Future patch releases for 1.7, 1.8, and 1.9 will contain a fix. * Apply the patch: diff -up krb5/src/slave/kpropd.c krb5/src/slave/kpropd.c - --- krb5/src/slave/kpropd.c 2010-12-17 11:14:26.000000000 -0500 +++ krb5/src/slave/kpropd.c 2010-12-17 11:41:19.000000000 -0500 @@ -404,11 +404,11 @@ retry: } close(s); - - if (iproprole == IPROP_SLAVE) + if (iproprole == IPROP_SLAVE) { close(finet); - - - - if ((ret = WEXITSTATUS(status)) != 0) - - return (ret); + if ((ret = WEXITSTATUS(status)) != 0) + return (ret); + } } if (iproprole == IPROP_SLAVE) break; This patch is also available at http://web.mit.edu/kerberos/advisories/2011-001-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2011-001-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-001.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4022 ACKNOWLEDGMENTS =============== This issue was discovered by Keiichi Mori of Red Hat. CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01] uid MIT Kerberos Team Security Contact pub 2048R/56CD8F76 2010-12-29 [expires: 2012-02-01] uid MIT Kerberos Team Security Contact DETAILS ======= As a result of the changes implementing incremental propagation, the do_standalone() function in kpropd.c gained a flaw in child process handling. The do_iprop() function, which implements the bulk of the incremental propagation capability, may need to receive a full database dump from the master KDC, and calls do_standalone() with an iprop_role argument of IPROP_SLAVE to partially emulate the behavior of an ordinary (non-incremental) kpropd. Unlike in earlier versions of kpropd, do_standalone() returns the child's exit status (and thus ceases accepting connections) if the worker process child exits abnormally, rather than ignoring it. The correct behavior when receiving an abnormal exit status from the child process would be to return from do_standalone() only when invoked from do_iprop(). REVISION HISTORY ================ 2011-02-08 original release Copyright (C) 2010 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAk1RlE4ACgkQSO8fWy4vZo6MkACghLz1l0/+aO4hs2iQwlCZBjeR v7EAoNHYLVApbjrLTEKNsHLXXAjTIfWb =2W7G -----END PGP SIGNATURE-----