Vulnerability Note VU#550464

MIT Kerberos 5 ASN.1 decoding function asn1buf_skiptail() does not properly terminate loop

Kerberos 5 protocol messages are defined using Abstract Syntax Notation One (ASN.1). The Basic Encoding Rules (BER) describe how to represent the values of ASN.1 types in byte strings. The MIT Kerberos 5 library function asn1buf_skiptail() contains a loop that does not properly check either the end of a buffer or the position of a pointer into the buffer. A specially crafted BER encoding in an ASN.1 sequence can cause asn1buf_skiptail() to enter an infinite loop, resulting in a denial of service. MITKRB5-SA-2004-003 provides further detail:

The ASN.1 decoder in the MIT krb5 library handles indefinite-length
BER encodings for the purpose of backwards compatibility with some
non-conformant implementations. The ASN.1 decoders call
asn1buf_sync() to skip any trailing unrecognized fields in the
encoding of a SEQUENCE type.  asn1buf_sync() calls asn1buf_skiptail()
if the ASN.1 SEQUENCE type being decoded was encoded with an
indefinite length.  asn1buf_sync() is provided with a prefetched BER
tag; a placeholder tag is provided by the prefetching code in the case
where there is are no more octets in a sub-encoding.

The loop in asn1buf_skiptail() which attempts to skip trailing
sub-encodings of an indefinite-length SEQUENCE type does not properly
check for end-of-subbuffer conditions or for the placeholder tag,
leading to an infinite loop.   Valid BER encodings cannot cause this
condition; however, it is trivial to construct a corrupt encoding
which will trigger the infinite loop.

Apply the appropriate patch(es) referenced in MITKRB5-SA-2004-003 or specified by your vendor.

Upgrade

According to MITKRB5-SA-2004-003, "The upcoming krb5-1.3.5 release will contain fixes for these problems."

Restrict access

Depending on network architecture, it may be practical to restrict access to KDC servers (88/udp) from untrusted networks such as the Internet. Due to network application requirements, it may be possible, but less practical, to limit access from Kerberos clients to trusted KDC and application servers. While these workarounds will help to limit the source of attacks, they will not prevent attacks from trusted hosts or networks or attackers who can successfully spoof their source addresses.

Systems Affected

http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txt
http://web.mit.edu/kerberos/www/
http://www.cert.org/advisories/CA-2001-18.html#asn1-ber
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#asn1
http://www.itu.int/ITU-T/asn1/
http://www.itu.int/ITU-T/studygroups/com10/languages/
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#kerbfirewall
http://www.securitytracker.com/alerts/2004/Aug/1011107.html

Credit

Thanks to Tom Yu and the MIT Kerberos Development Team for reporting this vulnerability and coordinating with vendors. MITKRB5-SA-2004-003 acknowledges Will Fiveash and Nico Williams.

This document was written by Art Manion.

Other Information

If you have feedback, comments, or additional information about this vulnerability, please send us email.