Vigil@nce: MIT krb5, denial of service via handle_tgt_authdata
February 2010 by Vigil@nce
An unauthenticated attacker can send a malformed Kerberos message to the KDC of MIT krb5, in order to stop it.
Consequences: denial of service of service
Provenance: intranet server
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 17/02/2010
SUSE Linux Enterprise Server
Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The KDC of MIT krb5 manages Kerberos TGT requests from computers.
The handle_tgt_authdata() function manages the authentication of TGT. Since version 1.7 of MIT krb5, this function checks the format of received messages, and quits with an assertion error if the message is malformed.
An attacker can thus send a message with an invalid type (neither KRB5_AS_REQ, nor KRB5_TGS_REQ), in order to generate this assertion error, which stops the KDC.
An unauthenticated attacker can therefore send a malformed Kerberos message to the KDC of MIT krb5, in order to stop it.
Identifiers: BID-38260, CVE-2010-0283, FEDORA-2010-1722,
MITKRB5-SA-2010-001, SUSE-SR:2010:005, VIGILANCE-VUL-9455