-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2011-006 MIT krb5 Security Advisory 2011-006 Original release: 2011-10-18 Last update: 2011-10-20 Topic: KDC denial of service vulnerabilities CVE-2011-1527: null pointer dereference in KDC LDAP back end CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C CVSSv2 Base Score: 7.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.8 Exploitability: High Remediation Level: Official Fix Report Confidence: Confirmed CVE-2011-1528: assertion failure in KDC LDAP back end CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 CVSSv2 Temporal Score: 6.1 CVE-2011-1529: null pointer dereference in multiple KDC back ends CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 CVSSv2 Temporal Score: 6.1 CVE-2011-4151: assertion failure in KDC db2 back end CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 CVSSv2 Temporal Score: 6.1 SUMMARY ======= CVE-2011-1527: In releases krb5-1.9 and later, the KDC can crash due to a null pointer dereference if configured to use the LDAP back end. A trigger condition is publicly known. CVE-2011-1528: In releases krb5-1.8 and later, the KDC can crash due to an assertion failure if configured to use the LDAP back end. No exploit is known to exist, but there is public evidence that the unidentified trigger condition occurs in the field. CVE-2011-1529: In releases krb5-1.8 and later, the KDC can crash due to a null pointer dereference. No exploit is known to exist. CVE-2011-4151: In releases krb5-1.8 through krb5-1.8.4, the KDC can crash due to an assertion failure if configured to use the Berkeley DB ("db2") back end. IMPACT ====== CVE-2011-1527: An unauthenticated remote attacker can crash a KDC daemon via null pointer dereference if the KDC is configured to use the LDAP back end. (This is not the default configuration.) CVE-2011-1528: An unauthenticated remote attacker can crash a KDC daemon via assertion failure if the KDC is configured to use the LDAP back end. (This is not the default configuration.). CVE-2011-1529: An unauthenticated remote attacker can crash a KDC daemon via null pointer dereference. CVE-2011-4151: An unauthenticated remote attacker can crash a KDC daemon via assertion failure if the KDC is configured to use the Berkeley DB ("db2") back end. AFFECTED SOFTWARE ================= * The KDC in krb5-1.9 and later is vulnerable to CVE-2011-1527 when configured with the LDAP back end. Earlier releases had different code that masked this bug and did not crash under these conditions. * The KDC in krb5-1.8 and later is vulnerable to CVE-2011-1528 when configured with the LDAP back end. * The KDC in krb5-1.8 and later is vulnerable to CVE-2011-1529 when configured with either the Berkeley DB ("db2") or the LDAP back end. * The KDC in krb5-1.8 through krb5-1.8.4 is vulnerable to CVE-2011-4151 when configured with the Berkeley DB ("db2") back end. Releases krb5-1.9 and later no longer have the assertion in the db2 back and are not vulnerable. FIXES ===== * Workaround: restart the KDC when it crashes, possibly using an automated monitoring process. * An upcoming release in the krb5-1.9.x series will fix CVE-2011-1527. * Upcoming releases in the krb5-1.8.x and krb5-1.9.x series will fix CVE-2011-1528 and CVE-2011-1529. * An upcoming release in the krb5-1.8.x series will fix CVE-2011-4151. * The patch for krb5-1.9.x is available at http://web.mit.edu/kerberos/advisories/2011-006-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2011-006-patch.txt.asc * The patch for krb5-1.8.x is available at http://web.mit.edu/kerberos/advisories/2011-006-patch-r18.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2011-006-patch-r18.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-006.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2011-1527 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1527 CVE: CVE-2011-1528 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1528 CVE: CVE-2011-1529 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1529 CVE: CVE-2011-4151 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4151 Debian bug #629558: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629558 Ubuntu bug #715579: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/715579 Red Hat Bug #744125 https://bugzilla.redhat.com/show_bug.cgi?id=744125 ACKNOWLEDGMENTS =============== CVE-2011-1527: Nalin Dahyabhai and Andrej Ota independently reported this vulnerability. Kyle Moffett independently reported this bug to Debian. CVE-2011-1528: Mark Deneen reported this vulnerability to Ubuntu. CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/56CD8F76 2010-12-29 [expires: 2012-02-01] uid MIT Kerberos Team Security Contact DETAILS ======= CVE-2011-1527: null pointer dereference in KDC LDAP back end Under certain error conditions, krb5_ldap_get_principal() in the KDC LDAP back end can return success yet leave the client principal entry as a null pointer. Subsequently executed code attempts to dereference this null pointer. CVE-2011-1528: assertion failure in KDC LDAP back end In the KDC LDAP back end in releases krb5-1.8 and later, krb5_ldap_lockout_audit() calls assert() with an expression that could be false under as-yet unidentified conditions. There is a report that the assertion failure occurs in the field, but there is insufficient information to identify the actual vector. The related vulnerability in the db2 back end is CVE-2011-4151. CVE-2011-1529: null pointer dereference in multiple KDC back ends In releases krb5-1.8 and later, lookup_lockout_policy() in both the Berkeley DB ("db2") and LDAP KDC back ends fails to check that the principal entry pointer is non-null prior to dereferencing it. This can happen if an error condition such as KRB5KDC_ERR_PREAUTH_FAILED or KRB5KRB_AP_ERR_BAD_INTEGRITY occurs in process_as_req() before it retrieves the principal database entry for the requested client. CVE-2011-4151: assertion failure in KDC db2 back end In the KDC Berkeley DB ("db2") back end in releases krb5-1.8 through krb5-1.8.4, krb5_db2_lockout_audit() calls assert() with an expression that could be false under as-yet unidentified conditions. The db2 back end no longer has this assertion in releases krb5-1.9 and later, and is therefore not vulnerable. The related vulnerability in the LDAP back end is CVE-2011-1528. REVISION HISTORY ================ 2011-10-22 update for CVE-2011-4151 split 2011-10-20 add Red Hat bug reference 2011-10-18 original release Copyright (C) 2011 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAk6jj84ACgkQSO8fWy4vZo4eZwCcDVRrv3Lygj2FZkg09uXt6X7K sKIAoIJZzSofw0eCrhI+6UzIRRX1/0mx =tO0e -----END PGP SIGNATURE-----