MITKRB5-SA-2010-003 [CVE-2010-0629] denial of service in kadmind in older krb5 releases

2010-04-07T00:00:00
ID SECURITYVULNS:DOC:23580
Type securityvulns
Reporter Securityvulns
Modified 2010-04-07T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

MITKRB5-SA-2010-003

MIT krb5 Security Advisory 2010-003 Original release: 2010-04-06 Last update: 2010-04-06

Topic: denial of service in kadmind in older krb5 releases

CVE-2010-0629 denial of service in kadmind in older krb5 releases

CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score: 6.8

Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete

CVSSv2 Temporal Score: 5.3

Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed

SUMMARY

In previous MIT krb5 releases krb5-1.5 through krb5-1.6.3, the Kerberos administration daemon (kadmind) can crash due to referencing freed memory. A legitimate user can trigger this crash by using a newer version of the kadmin protocol than the server supports.

This is an implementation vulnerability in MIT krb5, and not a vulnerability in the Kerberos protocol. This vulnerability is not present in modern releases of MIT krb5.

IMPACT

An authenticated remote attacker could crash the Kerberos administration daemon (kadmind), causing a denial of service.

AFFECTED SOFTWARE

  • kadmind in MIT releases krb5-1.5 through krb5-1.6.3.

FIXES

  • The krb5-1.7 release already contains a fix for this vulnerability.

  • Apply the patch below. The corresponding SVN revision (r22427) in our source tree contains additional use-after-free bugfixes; we believe that it is impractical for an attacker to induce execution of these sections of code.

Index: src/kadmin/server/server_stubs.c

  • --- src/kadmin/server/server_stubs.c (revision 22426) +++ src/kadmin/server/server_stubs.c (revision 22427) @@ -1628,7 +1628,7 @@ }

    if (ret.code != 0) - - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + errmsg = krb5_get_error_message(NULL, ret.code); else errmsg = "success";

This patch is also available at

http://web.mit.edu/kerberos/advisories/2010-003-patch.txt

A PGP-signed patch is available at

http://web.mit.edu/kerberos/advisories/2010-003-patch.txt.asc

REFERENCES

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt

This announcement and related security advisories may be found on the MIT Kerberos security advisory page at:

    http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

    http://web.mit.edu/kerberos/index.html

This bug has been public for a while at

    http://krbdev.mit.edu/rt/Ticket/Display.html?id=5998

but the security consequence has not been previously widely known. The security consequence was first made public in a limited context in the Debian bug found at

    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567052

CVSSv2:

http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2010-0629 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0629

ACKNOWLEDGMENTS

Thanks to Sol Jerome for reporting the kadmind crash to Debian.

CONTACT

The MIT Kerberos Team security contact address is <krbcore-security@mit.edu>. When sending sensitive information, please PGP-encrypt it using the following key:

pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01] uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS

MIT krb5 bug #5998 contains the earliest description of this bug. Debian bug #567052 (referenced above) contains the first public indication of the security consequence of this bug. Under error conditions, such as receiving an invalid kadmin API version number, the kadmin RPC stub init_2_svc() attempts to call krb5_get_error_message() on a krb5_context handle that is in a previously-freed kadm5_server_handle_t object. This typically results in a read operation on an invalid pointer, causing a crash and denial of service. Releases prior to krb5-1.5 did not use extended error information in this way, and therefore do not include the vulnerable code.

The most likely cause of a crash is a legitimate user running a kadmin client from the krb5-1.8 or newer release, which sends an API version number not recognized by earlier releases.

REVISION HISTORY

2010-04-06 original release

Copyright (C) 2010 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAku7ebMACgkQSO8fWy4vZo6cZwCg+gPn5RIWuKBbdZi0NktOh+pC SNMAnj3SeOel4cx5v9SprM1MRZG/ERCQ =mKjF -----END PGP SIGNATURE-----