Vulnerability Note VU#550464
MIT Kerberos 5 ASN.1 decoding function asn1buf_skiptail() does not properly terminate loop
The asn1buf_skiptail() function in the MIT Kerberos 5 library does not properly terminate a loop, allowing an unauthenticated, remote attacker to cause a denial of service in a Kerberos Distribution Center (KDC), application server, or Kerberos client.
As described on the MIT Kerberos web site: "Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography." MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions.
Kerberos 5 protocol messages are defined using Abstract Syntax Notation One (ASN.1). The Basic Encoding Rules (BER) describe how to represent the values of ASN.1 types in byte strings. The MIT Kerberos 5 library function asn1buf_skiptail() contains a loop that does not properly check either the end of a buffer or the position of a pointer into the buffer. A specially crafted BER encoding in an ASN.1 sequence can cause asn1buf_skiptail() to enter an infinite loop, resulting in a denial of service. MITKRB5-SA-2004-003 provides further detail:
BER encodings for the purpose of backwards compatibility with some
non-conformant implementations. The ASN.1 decoders call
asn1buf_sync() to skip any trailing unrecognized fields in the
encoding of a SEQUENCE type. asn1buf_sync() calls asn1buf_skiptail()
if the ASN.1 SEQUENCE type being decoded was encoded with an
indefinite length. asn1buf_sync() is provided with a prefetched BER
tag; a placeholder tag is provided by the prefetching code in the case
where there is are no more octets in a sub-encoding.
The loop in asn1buf_skiptail() which attempts to skip trailing
sub-encodings of an indefinite-length SEQUENCE type does not properly
check for end-of-subbuffer conditions or for the placeholder tag,
leading to an infinite loop. Valid BER encodings cannot cause this
condition; however, it is trivial to construct a corrupt encoding
which will trigger the infinite loop.
An unauthenticated, remote attacker could cause a denial of service on a KDC or application server. An attacker who is able to impersonate a KDC or application server may be able to cause a denial of service on Kerberos clients.
Apply a patch
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Cisco Systems Inc.||Affected||21 Jul 2004||03 Sep 2004|
|MIT Kerberos Development Team||Affected||-||02 Sep 2004|
|CyberSafe||Not Affected||-||02 Sep 2004|
CVSS Metrics (Learn More)
Thanks to Tom Yu and the MIT Kerberos Development Team for reporting this vulnerability and coordinating with vendors. MITKRB5-SA-2004-003 acknowledges Will Fiveash and Nico Williams.
This document was written by Art Manion.
- CVE IDs: CAN-2004-0644
- Date Public: 31 Aug 2004
- Date First Published: 02 Sep 2004
- Date Last Updated: 03 Sep 2004
- Severity Metric: 16.44
- Document Revision: 16
If you have feedback, comments, or additional information about this vulnerability, please send us email.