SkipNavigation
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric



 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

 

Vulnerability Note VU#587579

MIT Kerberos V5 ASN.1 decoder fails to perform bounds checking on data element length fields

Overview

The MIT Kerberos V5 implementation contains an ASN.1 decoding flaw that may allow remote attackers to crash affected Kerberos applications.

I. Description

Kerberos V5 protocol messages are defined using Abstract Syntax Notation One (ASN.1), a formal language that allows protocol specifications to be easily encoded for network transmission. For example, each data element in a given protocol message is encoded with additional information that indicates the type and length of the supplied data. This standardized format allows the recipient of the message to interpret the data elements and handle them appropriately.

The ASN.1 decoder included with MIT Kerberos V5 fails to perform bounds checking on the length values supplied with each data element. In some cases, an incoming message can contain a large unsigned data element length value that is misinterpreted as a negative signed value. When an affected Key Distribution Center (KDC) or other Kerberos application attempts to allocate negative or unreasonably large amounts of storage, an error condition will occur that may cause the application to crash.

II. Impact

This vulnerability allows remote attackers to crash affected applications, resulting in a denial of service condition.

III. Solution

This vulnerability was addressed in MIT Kerberos V5 1.2.5, released on April 30, 2002. MIT krb5 Security Advisory 2003-001 provides additional information from MIT and is available at:


For information regarding other vendors who may be affected, please see the vendor section of this document.

Systems Affected

VendorStatusDate Updated
Apple Computer Inc.Unknown29-Jan-2003
BSDIUnknown29-Jan-2003
Cisco Systems Inc.Unknown29-Jan-2003
ConectivaUnknown29-Jan-2003
Cray Inc.Unknown31-Jan-2003
DebianUnknown29-Jan-2003
Hewlett-Packard CompanyNot Vulnerable31-Jan-2003
IBMUnknown31-Jan-2003
KTH KerberosUnknown29-Jan-2003
MandrakeSoftVulnerable4-Apr-2003
Microsoft CorporationNot Vulnerable31-Jan-2003
MIT Kerberos Development TeamVulnerable30-Jan-2003
NetBSDUnknown29-Jan-2003
OpenBSDUnknown29-Jan-2003
Red Hat Inc.Vulnerable27-Mar-2003
Sun Microsystems Inc.Unknown29-Jan-2003
The SCO GroupUnknown29-Jan-2003
Wind River Systems Inc.Unknown29-Jan-2003

References


http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt
http://www.ietf.org/rfc/rfc1510.txt

Credit

The reporter of this vulnerability wishes to remain anonymous.

This document was written by Jeffrey P. Lanza.

Other Information

Date Public01/28/2003
Date First Published01/31/2003 02:02:44 PM
Date Last Updated04/04/2003
CERT Advisory 
CVE NameCAN-2002-0036
US-CERT Technical Alerts 
Metric31.50
Document Revision43

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader