This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

An attacker can use a freed memory area in SPNEGO
init_ctx_reselect() of MIT krb5, in order to trigger a denial of
service, and possibly to execute code.

Impacted products : BIG-IP Appliance, Fedora, AIX, MIT krb5,
openSUSE, Ubuntu

Severity : 2/4

Creation date : 28/08/2014

DESCRIPTION OF THE VULNERABILITY

During an authentication with Kerberos, in the protocol step named
SPNEGO, the client send a packet with his identity, typically a
username.

However, a Man-in-the-middle triggers a double memory free in the
init_ctx_reselect() function of the lib/gssapi/spnego/spnego_mech.c
file.

An attacker can therefore use a freed memory area in SPNEGO
init_ctx_reselect() of MIT krb5, in order to trigger a denial of
service, and possibly to execute code.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/MIT-krb5-use-after-free-via-SPNEGO-init-ctx-reselect-15241