5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.949 High
EPSS
Percentile
99.1%
When a server process uses the krb5_recvauth function, an
unauthenticated remote attacker can cause a NULL dereference by sending
a zero-byte version string, or a read beyond the end of allocated
storage by sending a non-null-terminated version string. The example
user-to-user server application (uuserver) is similarly vulnerable to a
zero-length or non-null-terminated principal name string.
The krb5_recvauth function reads two version strings from the client
using krb5_read_message(), which produces a krb5_data structure
containing a length and a pointer to an octet sequence. krb5_recvaut
assumes that the data pointer is a valid C string and passes it to
strcmp() to verify the versions. If the client sends an empty octet
sequence, the data pointer will be NULL and strcmp() will dereference a
NULL pointer, causing the process to crash. If the client sends a
non-null-terminated octet sequence, strcmp() will read beyond the end of
the allocated storage, possibly causing the process to crash.
It has been discovered that, when the KDC is configured with PKINIT
support, an unauthenticated remote attacker can bypass the
requires_preauth flag on a client principal and obtain a ciphertext
encrypted in the principal’s long-term key. This ciphertext could be
used to conduct an off-line dictionary attack against the user’s password.