Vigil@nce: MIT krb5, three denials of service of KDC
February 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use three vulnerabilities of MIT krb5, in order to
stop the KDC service.
– Severity: 2/4
– Creation date: 09/02/2011
IMPACTED PRODUCTS
– Mandriva Enterprise Server
– Mandriva Linux
– MIT krb5
– OpenSUSE
– Red Hat Enterprise Linux
DESCRIPTION OF THE VULNERABILITY
Three vulnerabilities were announced in the KDC (Key Distribution
Center) service of MIT krb5.
When the KDC uses a LDAP backend, an attacker can use special
characters, which are escaped by a backslash. However, the LDAP
library rejects these queries, and a loop occurs in the
LDAP_SEARCH_1() macro. [severity:2/4; BID-46265, CVE-2011-0281]
When the KDC uses a LDAP backend, an attacker can use a null
principal name or a name not ending with ’\0’, in order to
dereference a NULL pointer or to access to an invalid memory area.
[severity:2/4; BID-46271, CVE-2011-0282]
Since version 1.9, an attacker can send a malformed query, so the
KDC does not return a reply. However, as there is no reply, the
dispatch() function of the src/kdc/dispatch.c file dereferences a
NULL pointer. [severity:2/4; BID-46272, CVE-2011-0283]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/MIT-krb5-three-denials-of-service-of-KDC-10358