MITKRB5-SA-2010-002 denial of service in SPNEGO [CVE-2010-0628 VU#839413]

2010-03-25T00:00:00
ID SECURITYVULNS:DOC:23453
Type securityvulns
Reporter Securityvulns
Modified 2010-03-25T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

MITKRB5-SA-2010-002

MIT krb5 Security Advisory 2010-002 Original release: 2010-03-23 Last update: 2010-03-23

Topic: denial of service in SPNEGO

CVE-2010-0628 VU#839413 denial of service in SPNEGO

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score: 7.8

Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete

CVSSv2 Temporal Score: 6.1

Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed

SUMMARY

In MIT krb5 releases krb5-1.7 and later, the SPNEGO GSS-API mechanism can experience an assertion failure when receiving certain invalid messages. This can cause a GSS-API application to crash.

This is an implementation vulnerability in MIT krb5, and not a vulnerability in the Kerberos protocol.

IMPACT

An unauthenticated remote attacker could cause a GSS-API application, including the Kerberos administration daemon (kadmind) to crash.

AFFECTED SOFTWARE

  • kadmind in MIT releases krb5-1.7 and later

  • FTP daemon in MIT releases krb5-1.7 and later

  • Third-party software using the GSS-API library from MIT krb5 releases krb5-1.7 and later

  • MIT releases prior to krb5-1.7 did not contain the vulnerable code.

FIXES

  • The upcoming krb5-1.7.2 and krb5-1.8.1 releases will contain fixes for this vulnerability.

  • Apply the patch available at

http://web.mit.edu/kerberos/advisories/2010-002-patch.txt

A PGP-signed patch is available at

http://web.mit.edu/kerberos/advisories/2010-002-patch.txt.asc

REFERENCES

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-002.txt

This announcement and related security advisories may be found on the MIT Kerberos security advisory page at:

    http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

    http://web.mit.edu/kerberos/index.html

CVSSv2:

http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2010-0628 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0628

CERT: VU#839413 http://www.kb.cert.org/vuls/id/839413

ACKNOWLEDGMENTS

Thanks to Nalin Dahyabhai, Jan iankko Lieskovsky, and Zbysek Mraz (all from Red Hat) for discovering and reporting this vulnerability.

CONTACT

The MIT Kerberos Team security contact address is <krbcore-security@mit.edu>. When sending sensitive information, please PGP-encrypt it using the following key:

pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01] uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS

A patch to fix CVE-2009-0845 interacted poorly with new functionality introduced in krb5-1.7. This allowed an error condition to occur where receiving an invalid packet could cause an assertion failure, crashing the program and causing denial of service.

When the spnego_gss_accept_sec_context() function (in src/lib/gssapi/spnego/spnego_mech.c) receives an invalid packet during the beginning of a GSS-API protocol exchange, it can set some internal state that tells it to send an error token without first creating a context handle, but some subsequently executed code contains a call to assert() that requires that the context handle be non-null.

REVISION HISTORY

2010-03-23 original release

Copyright (C) 2010 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAkupAZsACgkQSO8fWy4vZo4ETACgn9xRUl3CTCiRd2vF1PBOaQ8b EfUAoPz32NUU/mk+H8kej8fWQFo3iwcZ =LHMP -----END PGP SIGNATURE-----