Vigil@nce: MIT krb5, denial of service via handle_tgt_authdata
February 2010 by Vigil@nce
An unauthenticated attacker can send a malformed Kerberos message
to the KDC of MIT krb5, in order to stop it.
– Severity: 2/4
– Consequences: denial of service of service
– Provenance: intranet server
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 17/02/2010
IMPACTED PRODUCTS
– Fedora
– OpenSUSE
– SUSE Linux Enterprise Server
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The KDC of MIT krb5 manages Kerberos TGT requests from computers.
The handle_tgt_authdata() function manages the authentication of
TGT. Since version 1.7 of MIT krb5, this function checks the
format of received messages, and quits with an assertion error if
the message is malformed.
An attacker can thus send a message with an invalid type (neither
KRB5_AS_REQ, nor KRB5_TGS_REQ), in order to generate this
assertion error, which stops the KDC.
An unauthenticated attacker can therefore send a malformed
Kerberos message to the KDC of MIT krb5, in order to stop it.
CHARACTERISTICS
– Identifiers: BID-38260, CVE-2010-0283, FEDORA-2010-1722,
MITKRB5-SA-2010-001, SUSE-SR:2010:005, VIGILANCE-VUL-9455
– Url: http://vigilance.fr/vulnerability/MIT-krb5-denial-of-service-via-handle-tgt-authdata-9455