Vulnerability Note VU#587579
MIT Kerberos V5 ASN.1 decoder fails to perform bounds checking on data element length fields
Overview
The MIT Kerberos V5 implementation contains an ASN.1 decoding flaw that may allow remote attackers to crash affected Kerberos applications.
Description
Kerberos V5 protocol messages are defined using Abstract Syntax Notation One (ASN.1), a formal language that allows protocol specifications to be easily encoded for network transmission. For example, each data element in a given protocol message is encoded with additional information that indicates the type and length of the supplied data. This standardized format allows the recipient of the message to interpret the data elements and handle them appropriately. The ASN.1 decoder included with MIT Kerberos V5 fails to perform bounds checking on the length values supplied with each data element. In some cases, an incoming message can contain a large unsigned data element length value that is misinterpreted as a negative signed value. When an affected Key Distribution Center (KDC) or other Kerberos application attempts to allocate negative or unreasonably large amounts of storage, an error condition will occur that may cause the application to crash. |
Impact
This vulnerability allows remote attackers to crash affected applications, resulting in a denial of service condition. |
Solution
This vulnerability was addressed in MIT Kerberos V5 1.2.5, released on April 30, 2002. MIT krb5 Security Advisory 2003-001 provides additional information from MIT and is available at: For information regarding other vendors who may be affected, please see the vendor section of this document. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| MandrakeSoft | Affected | 03 Apr 2003 | 04 Apr 2003 |
| MIT Kerberos Development Team | Affected | 04 Apr 2002 | 30 Jan 2003 |
| Red Hat Inc. | Affected | 08 Apr 2002 | 27 Mar 2003 |
| Hewlett-Packard Company | Not Affected | 08 Apr 2002 | 31 Jan 2003 |
| Microsoft Corporation | Not Affected | 04 Apr 2002 | 31 Jan 2003 |
| Apple Computer Inc. | Unknown | 08 Apr 2002 | 29 Jan 2003 |
| BSDI | Unknown | 08 Apr 2002 | 29 Jan 2003 |
| Cisco Systems Inc. | Unknown | 08 Apr 2002 | 29 Jan 2003 |
| Conectiva | Unknown | 08 Apr 2002 | 29 Jan 2003 |
| Cray Inc. | Unknown | 08 Apr 2002 | 31 Jan 2003 |
| Debian | Unknown | 08 Apr 2002 | 29 Jan 2003 |
| IBM | Unknown | 08 Apr 2002 | 31 Jan 2003 |
| KTH Kerberos | Unknown | 04 Apr 2002 | 29 Jan 2003 |
| NetBSD | Unknown | 08 Apr 2002 | 29 Jan 2003 |
| OpenBSD | Unknown | 08 Apr 2002 | 29 Jan 2003 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt
- http://www.ietf.org/rfc/rfc1510.txt
Credit
The reporter of this vulnerability wishes to remain anonymous.
This document was written by Jeffrey P. Lanza.
Other Information
- CVE IDs: CAN-2002-0036
- Date Public: 28 Jan 2003
- Date First Published: 31 Jan 2003
- Date Last Updated: 04 Apr 2003
- Severity Metric: 31.50
- Document Revision: 43
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.