exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MIT krb5 Security Advisory 2011-003

MIT krb5 Security Advisory 2011-003
Posted Mar 16, 2011
Site web.mit.edu

MIT krb5 Security Advisory 2011-003 - The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable to a double-free condition if the Public Key Cryptography for Initial Authentication (PKINIT) capability is enabled, resulting in daemon crash or arbitrary code execution (which is believed to be difficult).

tags | advisory, arbitrary, code execution
advisories | CVE-2011-0284
SHA-256 | b0ca25ea27a1f31338f24d60a05c7d8d56f653b8316aaf2ac49d655c3abd9ae7

MIT krb5 Security Advisory 2011-003

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2011-003

MIT krb5 Security Advisory 2011-003
Original release: 2011-03-15
Last update: 2011-03-15

Topic: KDC vulnerable to double-free when PKINIT enabled

CVE-2011-0284

CVSSv2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score: 9.3

Access Vector: Network
Access Complexity: Medium
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete

CVSSv2 Temporal Score: 7.3

Exploitability: Proof-of-Concept
Remediation Level: Official Fix
Report Confidence: Confirmed

SUMMARY
=======

The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable
to a double-free condition if the Public Key Cryptography for Initial
Authentication (PKINIT) capability is enabled, resulting in daemon
crash or arbitrary code execution (which is believed to be difficult).

IMPACT
======

An unauthenticated remote attacker can induce a double-free event,
causing the KDC daemon to crash (denial of service), or to execute
arbitrary code. Exploiting a double-free event to execute arbitrary
code is believed to be difficult.

AFFECTED SOFTWARE
=================

The KDC in releases krb5-1.7 and later are vulnerable, if they are
configured to respond to PKINIT requests. Earlier releases did not
contain the vulnerable code. Additionally, third-party
preauthentication plugins that generate TYPED-DATA in the e-data field
of a KRB-ERROR message may be vulnerable.

FIXES
=====

* Upcoming releases in the krb5-1.7, krb5-1.8, and krb5-1.9 series
will contain fixes.

* Apply the following patch:

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 46b5fa1..464cb6e 100644
- --- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
pad->contents = td[size]->data;
pad->length = td[size]->length;
pa[size] = pad;
+ td[size]->data = NULL;
+ td[size]->length = 0;
}
krb5_free_typed_data(kdc_context, td);
}

This patch is also available at

https://web.mit.edu/kerberos/advisories/2011-003-patch.txt

A PGP-signed patch is available at

https://web.mit.edu/kerberos/advisories/2011-003-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

https://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-003.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

https://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

https://web.mit.edu/kerberos/index.html

CVSSv2:

https://www.first.org/cvss/cvss-guide.html
https://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2011-0284
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0284

ACKNOWLEDGMENTS
===============

This issue was discovered by Cameron Meadors of Red Hat.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>. When sending sensitive information,
please PGP-encrypt it using the following key:

pub 2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS
=======

In do_as_req.c, the function perpare_error_as() attempts to decode the
e_data field both as preauth data and as typed data. If the e_data
contents are typed data, they are converted to preauth data. This
conversion can free pointers to the typed data items, and free them
again when cleaning up the preauth data during function exit.

REVISION HISTORY
================

2011-03-15 original release

Copyright (C) 2011 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk1/qSUACgkQSO8fWy4vZo7g3gCfTiJoaxuB3yVIGKOkttvFJg2z
J2wAoPuSZ56AJ1ugZP0YzObbWVq4cWRt
=BJJb
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close