Vulnerability Note VU#419344

MIT Kerberos 5 GSS-API library double-free vulnerability

Original Release date: 03 Apr 2007 | Last revised: 23 Apr 2007

Overview

The GSS-API library provided with MIT krb5 contains a vulnerability that may allow a remote, authenticated attacker to execute arbitrary code or cause a denial of service.

Description

A vulnerability in the way the GSS-API library provided with MIT krb5 handles messages with an invalid direction encoding may result in a double free. According to MIT krb5 Security Advisory MITKRB5-SA-2007-003:

    The kg_unseal_v1() function in src/lib/gssapi/krb5/k5unseal.c frees memory allocated for the "message_buffer" gss_buffer_t when it detects an invalid direction encoding on the message. It does not set the pointer to NULL, nor does it set the length to zero. An application subsequently calling gss_release_buffer() on this gss_buffer_t will cause memory to be freed twice.

    Much code provided with MIT krb5 does not attempt to call gss_release_buffer() when gss_unseal() or gss_unwrap() fails, even though the GSS-API C-bindings specification permits it to do so. The RPCSEC_GSS authentication flavor for the RPC library, introduced in krb5-1.4, does call gss_release_buffer() when gss_unwrap() fails. This allows an authenticated attacker to trigger a double-free situation.

Note that this issue affects all releases of MIT krb5 up to and including krb5-1.6. Other server applications that utilize the RPC library or the MIT GSS-API library provided with MIT krb5 may also be affected.

This vulnerability can be triggered by sending a specially crafted Kerberos message to a vulnerable system.

Impact

A remote, authenticated user may be able to execute arbitrary code on an affected system or cause the affected program to crash, resulting in a denial of service. Secondary impacts of code execution include complete compromise of the Kerberos key database.

Solution

Apply Patch
A patch can be obtained from MIT krb5 Security Advisory MITKRB5-SA-2007-003. MIT also states that this will be addressed in the upcoming krb5-1.6.1 release.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer, Inc.Affected04 Apr 200720 Apr 2007
Debian GNU/LinuxAffected-04 Apr 2007
Gentoo LinuxAffected21 Mar 200704 Apr 2007
Mandriva, Inc.Affected04 Apr 200705 Apr 2007
MIT Kerberos Development TeamAffected-03 Apr 2007
Red Hat, Inc.Affected-02 Apr 2007
rPathAffected-05 Apr 2007
SUSE LinuxAffected04 Apr 200705 Apr 2007
Trustix Secure LinuxAffected04 Apr 200706 Apr 2007
UbuntuAffected21 Mar 200704 Apr 2007
AttachmateWRQ, Inc.Not Affected21 Mar 200704 Apr 2007
Cisco Systems, Inc.Not Affected-02 Apr 2007
CyberSafe, Inc.Not Affected21 Mar 200704 Apr 2007
Force10 Networks, Inc.Not Affected21 Mar 200704 Apr 2007
Heimdal Kerberos ProjectNot Affected21 Mar 200704 Apr 2007
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This issue is addressed in MIT krb5 Security Advisory MITKRB5-SA-2007-003.

This document was written by Chris Taschner.

Other Information

  • CVE IDs: CVE-2007-1216
  • Date Public: 03 Apr 2007
  • Date First Published: 03 Apr 2007
  • Date Last Updated: 23 Apr 2007
  • Severity Metric: 17.85
  • Document Revision: 43

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.