SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#866472

MIT Kerberos 5 ASN.1 decoding function krb5_rd_cred() insecurely deallocates memory (double-free)

Overview

The krb5_rd_cred() function in the MIT Kerberos 5 library does not securely deallocate heap memory when decoding ASN.1 structures, resulting in a double-free vulnerability. A remote, authenticated attacker could execute arbitrary code or cause a denial of service on any system running an application that calls krb5_rd_cred(). This includes Kerberos application servers and other applications that process Kerberos authentication via the MIT Kerberos 5 library, GSSAPI, and other libraries.

I. Description

As described on the MIT Kerberos web site: "Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography." MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions.

Kerberos 5 protocol messages are defined using Abstract Syntax Notation One (ASN.1). When handling an error condition, the function krb5_rd_cred() free()s a memory reference returned from the ASN.1 decoding function decode_krb5_enc_cred_part(). As part of its own error handling process, the decoding function already free()d the memory reference, therefore the second free() can corrupt heap memory management structures, possibly manipulating heap memory to execute arbitrary code. This is a double-free vulnerability. Note that this vulnerability was addressed in kbr5-1.3.2. From MITKRB5-SA-2004-002:

    Implementations of krb5_rd_cred() prior to the krb5-1.3.2 release
    contained code to explicitly free the buffer returned by the ASN.1
    decoder function decode_krb5_enc_cred_part() when the decoder returns
    an error.  This is another double-free, since the decoder would itself
    free the buffer on error.  Since decode_krb5_enc_cred_part() does not
    get called unless the decryption of the encrypted part of the KRB-CRED
    is successful, the attacker needs to have authenticated.  This code
    was corrected in the krb5-1.3.2 release.
MIT notes that Kerberos applications that call krb5_rd_cred() to process forwarded credentials are affected:
    Applications calling the krb5_rd_cred() function in releases prior
    to krb5-1.3.2.  Such applications in the MIT krb5 releases include
    the remote login daemons (krshd, klogind, and telnetd) and the FTP
    daemon. The krb5_rd_cred() function decrypts and decodes forwarded
    Kerberos credentials.  Third-party applications calling this
    function directly or indirectly (by means of the GSSAPI or other
    libraries) are vulnerable.

II. Impact

A remote, authenticated attacker could execute arbitrary code on a vulnerable Kerberos application server or cause a denial of service.

III. Solution

Apply a patch

Apply the appropriate patch(es) referenced in MITKRB5-SA-2004-002 or specified by your vendor. Note that this vulnerability does not exist in krb5-1.3.2 and later.

Upgrade

According to MITKRB5-SA-2004-002, "The upcoming krb5-1.3.5 release will contain fixes for these problems."

Restrict access

Depending on network architecture and application requirements, it may be practical to restrict access to Kerberos application servers from untrusted networks such as the Internet. While this will help to limit the source of attacks, it will not prevent attacks from trusted hosts or networks or attackers who can successfully spoof their source addresses.

Systems Affected

VendorStatusDate Updated
Apple Computer Inc.Unknown3-Sep-2004
Cisco Systems Inc.Vulnerable3-Sep-2004
ConectivaUnknown3-Sep-2004
Cray Inc.Unknown3-Sep-2004
CyberSafeNot Vulnerable2-Sep-2004
DebianUnknown3-Sep-2004
EMC CorporationUnknown3-Sep-2004
F-SecureUnknown3-Sep-2004
FreeBSDUnknown3-Sep-2004
FujitsuUnknown3-Sep-2004
Guardian Digital Inc. Unknown3-Sep-2004
Heimdal Kerberos ProjectUnknown3-Sep-2004
Hewlett-Packard CompanyUnknown3-Sep-2004
HitachiUnknown3-Sep-2004
IBMUnknown3-Sep-2004
Ingrian NetworksUnknown3-Sep-2004
Juniper NetworksUnknown3-Sep-2004
KTH KerberosUnknown3-Sep-2004
MandrakeSoftUnknown3-Sep-2004
Microsoft CorporationUnknown3-Sep-2004
MIT Kerberos Development TeamVulnerable2-Sep-2004
MontaVista SoftwareUnknown3-Sep-2004
NEC CorporationUnknown3-Sep-2004
WirexUnknown3-Sep-2004

References


http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt
http://web.mit.edu/kerberos/www/
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#asn1
http://www.itu.int/ITU-T/asn1/
http://www.itu.int/ITU-T/studygroups/com10/languages/
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#gssapi
http://www.ietf.org/rfc/rfc2743.txt
http://www.ietf.org/rfc/rfc1964.txt
http://www.securitytracker.com/alerts/2004/Aug/1011106.html

Credit

Thanks to Tom Yu and the MIT Kerberos Development Team for reporting this vulnerability and coordinating with vendors. MITKRB5-SA-2004-002 acknowledges Joseph Galbraith and John Hawkinson.

This document was written by Art Manion.

Other Information

Date Public08/31/2004
Date First Published09/02/2004 02:33:55 AM
Date Last Updated09/03/2004
CERT Advisory 
CVE NameCAN-2004-0643
US-CERT Technical Alerts 
Metric10.96
Document Revision27

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader