Vigil@nce: MIT krb5, denial of service of KDC
January 2010 by Vigil@nce
An attacker can send a query for another realm, in order to stop
MIT krb5.
– Severity: 2/4
– Consequences: denial of service of service
– Provenance: intranet client
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 29/12/2009
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
MIT krb5 implements the draft-ietf-krb-wg-kerberos-referrals-11
draft, which is used by a KDC (Key Distribution Center) to handle
queries for another realm. This feature is disabled with the
"no_host_referral=*" configuration directive.
The prep_reprocess_req() function of the src/kdc/do_tgs_req.c file
uses kdc_err() if the other realm cannot be found. However, the
error message is replaced by zero (NULL pointer). A NULL pointer
is thus dereferenced in klog_com_err_proc() of the
src/lib/kadm5/logger.c file.
An attacker can therefore send a query for another non existing
realm, in order to stop MIT krb5.
CHARACTERISTICS
– Identifiers: BID-37486, CVE-2009-3295, MITKRB5-SA-2009-003,
VIGILANCE-VUL-9315
– Url: http://vigilance.fr/vulnerability/MIT-krb5-denial-of-service-of-KDC-9315