MIT KDC vulnerable to double-free when PKINIT enabled

Overview

The KDC in releases krb5-1.7 and later are vulnerable to a double-free vulnerability if they are configured to respond to PKINIT requests.

Description

The MIT krb5 Security Advisory 2011-003 states:

“The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable to a double-free condition if the Public Key Cryptography for Initial Authentication (PKINIT) capability is enabled, resulting in daemon crash or arbitrary code execution (which is believed to be difficult).”

---

Impact

An unauthenticated remote attacker can induce a double-free event, causing the KDC daemon to crash (denial of service), or to execute arbitrary code.

---

Solution

Apply a Patch
Upcoming releases in the krb5-1.7, krb5-1.8, and krb5-1.9 series will contain fixes. In the meantime, apply the following patch:`

``diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 46b5fa1…464cb6e 100644

• — a/src/kdc/do_as_req.c
  +++ b/src/kdc/do_as_req.c
  @@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
  pad->contents = td[size]->data;
  pad->length = td[size]->length;
  pa[size] = pad;

• td[size]->data = NULL;
• td[size]->length = 0;
  }
  krb5_free_typed_data(kdc_context, td);
  }``
  `

---

Vendor Information

943220

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

MIT Kerberos Development Team Affected

Notified: March 15, 2011 Updated: March 09, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Affected

Updated: March 29, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://rhn.redhat.com/errata/RHSA-2011-0356.html&gt;

Ubuntu Affected

Updated: March 29, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://www.ubuntu.com/usn/usn-1088-1&gt;

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-003.txt&gt;
• <http://web.mit.edu/kerberos/advisories/2011-003-patch.txt&gt;
• <http://web.mit.edu/kerberos/advisories/2011-003-patch.txt.asc&gt;

Acknowledgements

This issue was discovered by Cameron Meadors of Red Hat.

This document was written by Jared Allar.

Other Information

CVE IDs:	CVE-2011-0284
Date Public:	2011-03-15 Date First Published: