Lucene search

CERTVU:866472

HistorySep 02, 2004 - 12:00 a.m.

MIT Kerberos 5 ASN.1 decoding function krb5_rd_cred() insecurely deallocates memory (double-free)

2004-09-0200:00:00

www.kb.cert.org

4.6 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.0005 Low

EPSS

Percentile

15.7%

JSON

Overview

The krb5_rd_cred() function in the MIT Kerberos 5 library does not securely deallocate heap memory when decoding ASN.1 structures, resulting in a double-free vulnerability. A remote, authenticated attacker could execute arbitrary code or cause a denial of service on any system running an application that calls krb5_rd_cred(). This includes Kerberos application servers and other applications that process Kerberos authentication via the MIT Kerberos 5 library, GSSAPI, and other libraries.

Description

As described on the MIT Kerberos web site: “Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.” MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions.

Kerberos 5 protocol messages are defined using Abstract Syntax Notation One (ASN.1). When handling an error condition, the function krb5_rd_cred() free()s a memory reference returned from the ASN.1 decoding function decode_krb5_enc_cred_part(). As part of its own error handling process, the decoding function already free()d the memory reference, therefore the second free() can corrupt heap memory management structures, possibly manipulating heap memory to execute arbitrary code. This is a double-free vulnerability. Note that this vulnerability was addressed in kbr5-1.3.2. From MITKRB5-SA-2004-002:

Implementations of krb5_rd_cred() prior to the krb5-1.3.2 release
contained code to explicitly free the buffer returned by the ASN.1
decoder function decode_krb5_enc_cred_part() when the decoder returns
an error. This is another double-free, since the decoder would itself
free the buffer on error. Since decode_krb5_enc_cred_part() does not
get called unless the decryption of the encrypted part of the KRB-CRED
is successful, the attacker needs to have authenticated. This code
was corrected in the krb5-1.3.2 release.
MIT notes that Kerberos applications that call krb5_rd_cred() to process forwarded credentials are affected:

Applications calling the krb5_rd_cred() function in releases prior
to krb5-1.3.2. Such applications in the MIT krb5 releases include
the remote login daemons (krshd, klogind, and telnetd) and the FTP
daemon. The krb5_rd_cred() function decrypts and decodes forwarded
Kerberos credentials. Third-party applications calling this
function directly or indirectly (by means of the GSSAPI or other
libraries) are vulnerable.

Impact

A remote, authenticated attacker could execute arbitrary code on a vulnerable Kerberos application server or cause a denial of service.

Solution

Apply a patch

Apply the appropriate patch(es) referenced in MITKRB5-SA-2004-002 or specified by your vendor. Note that this vulnerability does not exist in krb5-1.3.2 and later.

Upgrade

According to MITKRB5-SA-2004-002, “The upcoming krb5-1.3.5 release will contain fixes for these problems.”

Restrict access

Depending on network architecture and application requirements, it may be practical to restrict access to Kerberos application servers from untrusted networks such as the Internet. While this will help to limit the source of attacks, it will not prevent attacks from trusted hosts or networks or attackers who can successfully spoof their source addresses.

Vendor Information

866472

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Cisco Systems Inc. __ Affected

Notified: July 21, 2004 Updated: September 03, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Cisco Security Advisory: Vulnerabilities in Kerberos 5 Implementation (Document ID: 61720).

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

MIT Kerberos Development Team __ Affected

Updated: September 02, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see MITKRB5-SA-2004-002.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

CyberSafe __ Not Affected

Updated: September 02, 2004

Status

Not Affected

Vendor Statement

The CyberSafe products listed below are not vulnerable.

* CyberSafe Challenger 5.2.8 (this is the same code used within CISCO IOS)
* TrustBroker 2.0, 2.1
* ActiveTRUST 3.0, 4.0
* TrustBroker Application Security SDK &amp; Runtime Library 3.1.0
* TrustBroker Secure Client 4.1.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

Apple Computer Inc. Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

Conectiva Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

Cray Inc. Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

Debian Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

EMC Corporation Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

F-Secure Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

FreeBSD Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

Fujitsu Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

Guardian Digital Inc. Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

Heimdal Kerberos Project Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

Hewlett-Packard Company Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

Hitachi Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

IBM Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

Ingrian Networks Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

Juniper Networks Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

KTH Kerberos Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

MandrakeSoft Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

Microsoft Corporation Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

MontaVista Software Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

NEC Corporation Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

Wirex Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23866472 Feedback>).

View all 24 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Tom Yu and the MIT Kerberos Development Team for reporting this vulnerability and coordinating with vendors. MITKRB5-SA-2004-002 acknowledges Joseph Galbraith and John Hawkinson.

This document was written by Art Manion.