MIT Kerberos 5 ASN.1 Decoder DoS

2004-08-31T00:00:00
ID OSVDB:9406
Type osvdb
Reporter OSVDB
Modified 2004-08-31T00:00:00

Description

Vulnerability Description

MIT Kerberos 5 distribution contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker impersonating a legitimate key distribution center or application server may cause a client program to hang inside an infinite loop via a specially crafted BER encoding and will result in loss of availability of the service.

Solution Description

Upgrade to version krb5-1.3.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

MIT Kerberos 5 distribution contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker impersonating a legitimate key distribution center or application server may cause a client program to hang inside an infinite loop via a specially crafted BER encoding and will result in loss of availability of the service.

References:

Vendor Specific Solution URL: http://web.mit.edu/kerberos/advisories/2004-003-patch_1.3.4.txt Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Security Tracker: 1011107 Secunia Advisory ID:12408 Secunia Advisory ID:12412 Secunia Advisory ID:12503 Secunia Advisory ID:12414 Secunia Advisory ID:12413 Secunia Advisory ID:12411 Secunia Advisory ID:12410 Secunia Advisory ID:13612 Other Advisory URL: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000860 Other Advisory URL: http://rhn.redhat.com/errata/RHSA-2004-350.html Other Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:088 Other Advisory URL: http://www.cisco.com/warp/public/707/cisco-sa-20040831-krb5.shtml Other Advisory URL: http://www.debian.org/security/2004/dsa-543 CVE-2004-0644