Vigil@nce - MIT krb5: denial of service via kpasswd
May 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send an UDP packet to the kpasswd service of MIT
krb5 kadmind, in order to trigger a denial of service.
– Impacted products: Fedora, MBS, MES, MIT krb5
– Severity: 2/4
– Creation date: 14/05/2013
DESCRIPTION OF THE VULNERABILITY
The kpasswd service of MIT krb5 kadmind listens on port 464/udp,
so users can change their passwords.
When kpasswd receives an invalid query, it returns an UDP error
packet to the sender. However, the service does not check if this
query is already an error message. An attacker can thus send a
packet to a kpasswd service, by spoofing the source IP address to
be one of another kpasswd service. Both services will then
indefinitely exchange error messages.
An attacker can therefore send an UDP packet to the kpasswd
service of MIT krb5 kadmind, in order to trigger a denial of
service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/MIT-krb5-denial-of-service-via-kpasswd-12791