Vulnerability Note VU#550464

MIT Kerberos 5 ASN.1 decoding function asn1buf_skiptail() does not properly terminate loop

Original Release date: 02 Sep 2004 | Last revised: 03 Sep 2004

Overview

The asn1buf_skiptail() function in the MIT Kerberos 5 library does not properly terminate a loop, allowing an unauthenticated, remote attacker to cause a denial of service in a Kerberos Distribution Center (KDC), application server, or Kerberos client.

Description

As described on the MIT Kerberos web site: "Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography." MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions.

Kerberos 5 protocol messages are defined using Abstract Syntax Notation One (ASN.1). The Basic Encoding Rules (BER) describe how to represent the values of ASN.1 types in byte strings. The MIT Kerberos 5 library function asn1buf_skiptail() contains a loop that does not properly check either the end of a buffer or the position of a pointer into the buffer. A specially crafted BER encoding in an ASN.1 sequence can cause asn1buf_skiptail() to enter an infinite loop, resulting in a denial of service. MITKRB5-SA-2004-003 provides further detail:

    The ASN.1 decoder in the MIT krb5 library handles indefinite-length
    BER encodings for the purpose of backwards compatibility with some
    non-conformant implementations. The ASN.1 decoders call
    asn1buf_sync() to skip any trailing unrecognized fields in the
    encoding of a SEQUENCE type.  asn1buf_sync() calls asn1buf_skiptail()
    if the ASN.1 SEQUENCE type being decoded was encoded with an
    indefinite length.  asn1buf_sync() is provided with a prefetched BER
    tag; a placeholder tag is provided by the prefetching code in the case
    where there is are no more octets in a sub-encoding.

    The loop in asn1buf_skiptail() which attempts to skip trailing
    sub-encodings of an indefinite-length SEQUENCE type does not properly
    check for end-of-subbuffer conditions or for the placeholder tag,
    leading to an infinite loop.   Valid BER encodings cannot cause this
    condition; however, it is trivial to construct a corrupt encoding
    which will trigger the infinite loop.

Impact

An unauthenticated, remote attacker could cause a denial of service on a KDC or application server. An attacker who is able to impersonate a KDC or application server may be able to cause a denial of service on Kerberos clients.

Solution

Apply a patch
Apply the appropriate patch(es) referenced in MITKRB5-SA-2004-003 or specified by your vendor.

Upgrade

According to MITKRB5-SA-2004-003, "The upcoming krb5-1.3.5 release will contain fixes for these problems."


Restrict access

Depending on network architecture, it may be practical to restrict access to KDC servers (88/udp) from untrusted networks such as the Internet. Due to network application requirements, it may be possible, but less practical, to limit access from Kerberos clients to trusted KDC and application servers. While these workarounds will help to limit the source of attacks, they will not prevent attacks from trusted hosts or networks or attackers who can successfully spoof their source addresses.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Cisco Systems Inc.Affected21 Jul 200403 Sep 2004
MIT Kerberos Development TeamAffected-02 Sep 2004
CyberSafeNot Affected-02 Sep 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Tom Yu and the MIT Kerberos Development Team for reporting this vulnerability and coordinating with vendors. MITKRB5-SA-2004-003 acknowledges Will Fiveash and Nico Williams.

This document was written by Art Manion.

Other Information

  • CVE IDs: CAN-2004-0644
  • Date Public: 31 Aug 2004
  • Date First Published: 02 Sep 2004
  • Date Last Updated: 03 Sep 2004
  • Severity Metric: 16.44
  • Document Revision: 16

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.