Vulnerability Note VU#866472
MIT Kerberos 5 ASN.1 decoding function krb5_rd_cred() insecurely deallocates memory (double-free)
The krb5_rd_cred() function in the MIT Kerberos 5 library does not securely deallocate heap memory when decoding ASN.1 structures, resulting in a double-free vulnerability. A remote, authenticated attacker could execute arbitrary code or cause a denial of service on any system running an application that calls krb5_rd_cred(). This includes Kerberos application servers and other applications that process Kerberos authentication via the MIT Kerberos 5 library, GSSAPI, and other libraries.
As described on the MIT Kerberos web site: "Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography." MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions.
Kerberos 5 protocol messages are defined using Abstract Syntax Notation One (ASN.1). When handling an error condition, the function krb5_rd_cred() free()s a memory reference returned from the ASN.1 decoding function decode_krb5_enc_cred_part(). As part of its own error handling process, the decoding function already free()d the memory reference, therefore the second free() can corrupt heap memory management structures, possibly manipulating heap memory to execute arbitrary code. This is a double-free vulnerability. Note that this vulnerability was addressed in kbr5-1.3.2. From MITKRB5-SA-2004-002:
contained code to explicitly free the buffer returned by the ASN.1
decoder function decode_krb5_enc_cred_part() when the decoder returns
an error. This is another double-free, since the decoder would itself
free the buffer on error. Since decode_krb5_enc_cred_part() does not
get called unless the decryption of the encrypted part of the KRB-CRED
is successful, the attacker needs to have authenticated. This code
was corrected in the krb5-1.3.2 release.
to krb5-1.3.2. Such applications in the MIT krb5 releases include
the remote login daemons (krshd, klogind, and telnetd) and the FTP
daemon. The krb5_rd_cred() function decrypts and decodes forwarded
Kerberos credentials. Third-party applications calling this
function directly or indirectly (by means of the GSSAPI or other
libraries) are vulnerable.
A remote, authenticated attacker could execute arbitrary code on a vulnerable Kerberos application server or cause a denial of service.
Apply a patch
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Cisco Systems Inc.||Affected||21 Jul 2004||03 Sep 2004|
|MIT Kerberos Development Team||Affected||-||02 Sep 2004|
|CyberSafe||Not Affected||-||02 Sep 2004|
|Apple Computer Inc.||Unknown||21 Jul 2004||03 Sep 2004|
|Conectiva||Unknown||21 Jul 2004||03 Sep 2004|
|Cray Inc.||Unknown||21 Jul 2004||03 Sep 2004|
|Debian||Unknown||21 Jul 2004||03 Sep 2004|
|EMC Corporation||Unknown||21 Jul 2004||03 Sep 2004|
|F-Secure||Unknown||21 Jul 2004||03 Sep 2004|
|FreeBSD||Unknown||21 Jul 2004||03 Sep 2004|
|Fujitsu||Unknown||21 Jul 2004||03 Sep 2004|
|Guardian Digital Inc.||Unknown||21 Jul 2004||03 Sep 2004|
|Heimdal Kerberos Project||Unknown||21 Jul 2004||03 Sep 2004|
|Hewlett-Packard Company||Unknown||21 Jul 2004||03 Sep 2004|
|Hitachi||Unknown||21 Jul 2004||03 Sep 2004|
CVSS Metrics (Learn More)
Thanks to Tom Yu and the MIT Kerberos Development Team for reporting this vulnerability and coordinating with vendors. MITKRB5-SA-2004-002 acknowledges Joseph Galbraith and John Hawkinson.
This document was written by Art Manion.
- CVE IDs: CAN-2004-0643
- Date Public: 31 Aug 2004
- Date First Published: 02 Sep 2004
- Date Last Updated: 03 Sep 2004
- Severity Metric: 10.96
- Document Revision: 27
If you have feedback, comments, or additional information about this vulnerability, please send us email.