Vigil@nce: Solaris, denial of service of KDC
March 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An unauthenticated attacker allowed to access to the master Key
Distribution Center can create a denial of service on slaves.
Gravity: 2/4
Consequences: denial of service of service
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 17/03/2009
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
DESCRIPTION OF THE VULNERABILITY
The Kerberos system uses KDC (Key Distribution Center) to manage
keys. The Solaris KDC service can be split using a master KDC and
slaves KDC.
Slaves are synchronized with incremental propagation requests, via
the kpropd daemon, implemented in the usr/src/cmd/krb5/slave/kpropd.c
file. However, kpropd indefinitely waits the end of the
synchronization. An attacker can therefore stay connected on the
master, to disturb the replication, and force kpropd to wait.
An unauthenticated attacker, allowed to access to the master Key
Distribution Center, can thus prevent slaves to synchronize.
CHARACTERISTICS
Identifiers: 249926, 6746597, BID-34139, CVE-2009-0923,
VIGILANCE-VUL-8540
http://vigilance.fr/vulnerability/Solaris-denial-of-service-of-KDC-8540