exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MIT krb5 Security Advisory 2011-006

MIT krb5 Security Advisory 2011-006
Posted Oct 20, 2011
Site web.mit.edu

MIT krb5 Security Advisory 2011-006 - In releases krb5-1.9 and later, the KDC can crash due to a null pointer dereference if configured to use the LDAP back end. A trigger condition is publicly known but not known to be widely circulated. In releases krb5-1.8 and later, the KDC can crash due to an assertion failure. No exploit is known to exist, but there is public evidence that the unidentified trigger condition occurs in the field. In releases krb5-1.8 and later, the KDC can crash due to a null pointer dereference. No exploit is known to exist.

tags | advisory
advisories | CVE-2011-1527, CVE-2011-1528, CVE-2011-1529
SHA-256 | 8b04ece8c34bca3fda0990a86bfcf42198a26b09a9a26da0008d965a7b170253

MIT krb5 Security Advisory 2011-006

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2011-006

MIT krb5 Security Advisory 2011-006
Original release: 2011-10-18
Last update: 2011-10-18

Topic: KDC denial of service vulnerabilities

CVE-2011-1527: null pointer dereference in KDC LDAP back end

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C

CVSSv2 Base Score: 7.8

Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete

CVSSv2 Temporal Score: 6.8

Exploitability: High
Remediation Level: Official Fix
Report Confidence: Confirmed

CVE-2011-1528: assertion failure in multiple KDC back ends

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score: 7.8
CVSSv2 Temporal Score: 6.1

CVE-2011-1529: null pointer dereference in multiple KDC back ends

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score: 7.8
CVSSv2 Temporal Score: 6.1

SUMMARY
=======

CVE-2011-1527: In releases krb5-1.9 and later, the KDC can crash due
to a null pointer dereference if configured to use the LDAP back end.
A trigger condition is publicly known but not known to be widely
circulated.

CVE-2011-1528: In releases krb5-1.8 and later, the KDC can crash due
to an assertion failure. No exploit is known to exist, but there is
public evidence that the unidentified trigger condition occurs in the
field.

CVE-2011-1529: In releases krb5-1.8 and later, the KDC can crash due
to a null pointer dereference. No exploit is known to exist.

IMPACT
======

CVE-2011-1527: An unauthenticated remote attacker can crash a KDC
daemon via null pointer dereference if the KDC is configured to use
the LDAP back end. (This is not the default configuration.)

CVE-2011-1528: An unauthenticated remote attacker can crash a KDC
daemon via assertion failure.

CVE-2011-1529: An unauthenticated remote attacker can crash a KDC
daemon via null pointer dereference.

AFFECTED SOFTWARE
=================

* The KDC in krb5-1.9 and later is vulnerable to CVE-2011-1527 when
configured with the LDAP back end. Earlier releases had different
code that masked this bug and did not crash under these conditions.

* The KDC in krb5-1.8 and later is vulnerable to CVE-2011-1528 when
configured with the LDAP back end. When configured with the
Berkeley DB ("db2") back end, only releases krb5-1.8 through
krb5-1.8.4 are vulnerable.

* The KDC in krb5-1.8 and later is vulnerable to CVE-2011-1529 when
configured with either the Berkeley DB ("db2") or the LDAP back end.

FIXES
=====

* Workaround: restart the KDC when it crashes, possibly using an
automated monitoring process.

* An upcoming release in the krb5-1.9.x series will fix CVE-2011-1527.

* Upcoming releases in the krb5-1.8.x and krb5-1.9.x series will fix
CVE-2011-1528 and CVE-2011-1529.

* The patch for krb5-1.9.x is available at

http://web.mit.edu/kerberos/advisories/2011-006-patch.txt

A PGP-signed patch is available at

http://web.mit.edu/kerberos/advisories/2011-006-patch.txt.asc


* The patch for krb5-1.8.x is available at

http://web.mit.edu/kerberos/advisories/2011-006-patch-r18.txt

A PGP-signed patch is available at

http://web.mit.edu/kerberos/advisories/2011-006-patch-r18.txt.asc

REFERENCES
==========

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-006.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/index.html

CVSSv2:

http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2011-1527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1527

CVE: CVE-2011-1528
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1528

CVE: CVE-2011-1529
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1529

Debian bug #629558:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629558

Ubuntu bug #715579:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/715579

ACKNOWLEDGMENTS
===============

CVE-2011-1527: Nalin Dahyabhai and Andrej Ota independently reported
this vulnerability. Kyle Moffett independently reported this bug to
Debian.

CVE-2011-1528: Mark Deneen reported this vulnerability to Ubuntu.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>. When sending sensitive information,
please PGP-encrypt it using the following key:

pub 2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS
=======

CVE-2011-1527: null pointer dereference in KDC LDAP back end

Under certain error conditions, krb5_ldap_get_principal() in the KDC
LDAP back end can return success yet leave the client principal entry
as a null pointer. Subsequently executed code attempts to dereference
this null pointer.

CVE-2011-1528: assertion failure in multiple KDC back ends

In the KDC LDAP back end in releases krb5-1.8 and later,
krb5_ldap_lockout_audit() calls assert() with an expression that could
be false under as-yet unidentified conditions. A similar problem
occurs in the KDC Berkeley DB ("db2") back end in
krb5_db2_lockout_audit() in releases krb5-1.8 through krb5-1.8.4.
(The db2 back end no longer has this assertion in releases krb5-1.9
and later, and is therefore not vulnerable.) There is a report that
the assertion failure occurs in the field, but there is insufficient
information to identify the actual vector.

CVE-2011-1529: null pointer dereference in multiple KDC back ends

In releases krb5-1.8 and later, lookup_lockout_policy() in both the
Berkeley DB ("db2") and LDAP KDC back ends fails to check that the
principal entry pointer is non-null prior to dereferencing it. This
can happen if an error condition such as KRB5KDC_ERR_PREAUTH_FAILED or
KRB5KRB_AP_ERR_BAD_INTEGRITY occurs in process_as_req() before it
retrieves the principal database entry for the requested client.

REVISION HISTORY
================

2011-10-18 original release

Copyright (C) 2011 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk6dvtMACgkQSO8fWy4vZo6GowCePb09TB6ml1fQCPgNh+au5RGN
V6sAmwY8e1uEI/PaualYavqA/fAbpCuq
=j6ql
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close