Vigil@nce: MIT Kerberos, denial of service via SPNEGO
April 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can use a SPNEGO authentication in order to stop MIT
Kerberos.
Severity: 2/4
Consequences: denial of service of service
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 26/03/2009
IMPACTED PRODUCTS
– Mandriva Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The SPNEGO (Simple and Protected GSSAPI NEGOtiation Mechanism, RFC
4178) mechanism is used to negotiate an authentication protocol.
The MIT Kerberos server implements SPNEGO.
Two token types are defined: negTokenInit and negTokenResp. The
NegTokenInit token contains a bit field named ContextFlags.
When the Kerberos client sends a NegTokenInit with an invalid
ContextFlags flag, a NULL pointer is dereferenced in the
spnego_gss_accept_sec_context() function of the
lib/gssapi/spnego/spnego_mech.c file. This error stops the MIT
Kerberos server.
An attacker can therefore use a malicious SPNEGO authentication in
order to stop MIT Kerberos.
CHARACTERISTICS
Identifiers: BID-34257, CVE-2009-0845, MDVSA-2009:082,
VIGILANCE-VUL-8568
http://vigilance.fr/vulnerability/MIT-Kerberos-denial-of-service-via-SPNEGO-8568