Vulnerability Note VU#350792
MIT Kerberos krb524d insecurely deallocates memory (double-free)
The MIT Kerberos krb524d daemon does not securely deallocate heap memory when handling an error condition, resulting in a double-free vulnerability. An unauthenticated, remote attacker could execute arbitrary code on a system running krb524d, which in many cases is also a Kerberos Distribution Center (KDC). The compromise of a KDC system can lead to the compromise of an entire Kerberos realm. An attacker may also be able to cause a denial of service on a system running krb524d.
As described on the MIT Kerberos web site: "Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography." MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions.
The MIT Kerberos krb524d daemon converts Kerberos 5 service tickets into Kerberos 4 service tickets. There is a double-free vulnerability in krb524d that can be triggered during the conversion of a cross-realm ticket. From MITKRB5-SA-2004-002:
releases) for disabling krb4 cross-realm authentication in krb524d
introduced a double-free vulnerability. If handle_classic_v4() denies
the conversion of a cross-realm ticket, v5tkt->enc_part2 gets freed
but not nulled, so do_connection() double-frees many things when it
subsequently calls krb5_free_ticket().
An unauthenticated, remote attacker to could execute arbitrary code on a system running krb524d. In many cases, this system also operates a KDC, so this vulnerability could allow an attacker to gain the master secret for a Kerberos realm, leading to compromise of the entire realm. An attacker may also be able to crash a system running krb524d, causing a denial of service.
Apply a patch
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|MIT Kerberos Development Team||Affected||-||02 Sep 2004|
|Cisco Systems Inc.||Not Affected||21 Jul 2004||03 Sep 2004|
|CyberSafe||Not Affected||-||02 Sep 2004|
CVSS Metrics (Learn More)
Thanks to Tom Yu and the MIT Kerberos Development Team for reporting this vulnerability and coordinating with vendors. MITKRB5-SA-2004-002 acknowledges Marc Horowitz.
This document was written by Art Manion.
- CVE IDs: CAN-2004-0772
- Date Public: 31 Aug 2004
- Date First Published: 02 Sep 2004
- Date Last Updated: 03 Sep 2004
- Severity Metric: 10.28
- Document Revision: 16
If you have feedback, comments, or additional information about this vulnerability, please send us email.