Vigil@nce - MIT krb5: denial of service via TGS
May 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An authenticated attacker can send a special TGS query to MIT
krb5, in order to dereference a NULL pointer, which leads to a
denial of service.
– Impacted products: Fedora, MBS, MES, MIT krb5, RHEL
– Severity: 2/4
– Creation date: 17/04/2013
DESCRIPTION OF THE VULNERABILITY
During a Kerberos exchange, the client requests a ticket for the
TGS (Ticket Granting Service) to the KDC (Key Distribution Center).
The prep_reprocess_req() function of the src/kdc/do_tgs_req.c file
analyzes TGS queries. However, if the user, who already has a
ticket, sends a new request with an empty Principal Name, a NULL
pointer is dereferenced in prep_reprocess_req().
An authenticated attacker can therefore send a special TGS query
to MIT krb5, in order to dereference a NULL pointer, which leads
to a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/MIT-krb5-denial-of-service-via-TGS-12685