Vulnerability Note VU#795632
MIT Kerberos 5 ASN.1 decoding functions insecurely deallocate memory (double-free)
The MIT Kerberos 5 library does not securely deallocate heap memory when decoding ASN.1 structures, resulting in double-free vulnerabilities. An unauthenticated, remote attacker could execute arbitrary code on a KDC server, which could compromise an entire Kerberos realm. An attacker may also be able to execute arbitrary code on Kerberos clients, or cause a denial of service on KDCs or clients.
As described on the MIT Kerberos web site: "Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography." MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions.
Kerberos 5 protocol messages are defined using Abstract Syntax Notation One (ASN.1). When ASN.1 decoding functions in the MIT Kerberos 5 library handle error conditions, the functions free() a memory reference and return the reference to the calling function. In some cases, error handling code in the calling functions may free() the memory reference again, resulting in a double-free vulnerability. MITKRB5-SA-2004-002 explains in more detail:
krb5-1.3.4, ASN.1 decoder functions and their callers do not use a
consistent set of memory management conventions. The callers expect
the decoders to allocate memory. The callers typically have
error-handling code which frees memory allocated by the ASN.1 decoders
if pointers to the allocated memory are non-null. Upon encountering
error conditions, the ASN.1 decoders themselves free memory which they
have allocated, but do not null the corresponding pointers. When some
library functions receive errors from the ASN.1 decoders, they attempt
to pass the non-null pointer (which points to freed memory) to free(),
causing a double-free.
code in the KDC frees memory returned by ASN.1 decoders. This cleanup
code only frees memory pointed to by non-null pointers, but if an
ASN.1 decoder returns an error, the cleanup code will free memory
previously freed by the decoder.
An unauthenticated, remote attacker could execute arbitrary code on a KDC server. This could allow an attacker to gain the master secret for a Kerberos realm, leading to compromise of the entire realm. An attacker who is able to impersonate a KDC or application server may be able to execute arbitrary code on Kerberos clients. An attacker may also be able to crash a KDC or client, causing a denial of service.
Apply a patch
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apple Computer Inc.||Affected||21 Jul 2004||10 May 2005|
|Debian||Affected||21 Jul 2004||03 Sep 2004|
|Fedora Legacy Project||Affected||-||03 Sep 2004|
|MandrakeSoft||Affected||21 Jul 2004||03 Sep 2004|
|MIT Kerberos Development Team||Affected||-||01 Sep 2004|
|Red Hat Inc.||Affected||21 Jul 2004||02 Sep 2004|
|Trustix Secure Linux||Affected||-||03 Sep 2004|
|Cisco Systems Inc.||Not Affected||21 Jul 2004||02 Sep 2004|
|CyberSafe||Not Affected||-||02 Sep 2004|
|Hitachi||Not Affected||21 Jul 2004||03 Sep 2004|
|VanDyke Software Inc.||Not Affected||21 Jul 2004||02 Sep 2004|
|WRQ||Not Affected||21 Jul 2004||02 Sep 2004|
|Conectiva||Unknown||21 Jul 2004||02 Sep 2004|
|Cray Inc.||Unknown||21 Jul 2004||02 Sep 2004|
|EMC Corporation||Unknown||21 Jul 2004||02 Sep 2004|
CVSS Metrics (Learn More)
Thanks to Tom Yu and the MIT Kerberos Development Team for reporting this vulnerability and coordinating with vendors. MITKRB5-SA-2004-002 acknowledges Will Fiveash and Nico Williams.
This document was written by Art Manion.
- CVE IDs: CAN-2004-0642
- Date Public: 31 Aug 2004
- Date First Published: 01 Sep 2004
- Date Last Updated: 10 May 2005
- Severity Metric: 20.55
- Document Revision: 42
If you have feedback, comments, or additional information about this vulnerability, please send us email.