Vigil@nce - MIT krb5: denial of service of KDC via PKINIT
March 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An unauthenticated attacker can send a malformed packets to MIT
krb5, in order to stop the KDC.
Impacted products: MIT krb5
Severity: 2/4
Creation date: 22/02/2013
DESCRIPTION OF THE VULNERABILITY
The PKINIT (Public Key Cryptography for Initial Authentication)
protocol allows the usage of an X.509 certificate or of a smart
card, instead of a password. The PKINIT extension is enabled when
the kdc.conf/krb5.conf configuration file contains pkinit_identity
and pkinit_anchors.
The pkinit_check_kdc_pkid() function of the
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c file calls
d2i_PKCS7_ISSUER_AND_SERIAL() to obtain the "issuer" and "serial"
fields. If these fields are malformed, this function returns NULL.
However, this error case is not correctly processed, and
dereferences a NULL pointer.
An unauthenticated attacker can therefore send a malformed packets
to MIT krb5, in order to stop the KDC.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/MIT-krb5-denial-of-service-of-KDC-via-PKINIT-12446