Vulnerability Note VU#943220

MIT KDC vulnerable to double-free when PKINIT enabled

Original Release date: 15 Mar 2011 | Last revised: 29 Mar 2011

Overview

The KDC in releases krb5-1.7 and later are vulnerable to a double-free vulnerability if they are configured to respond to PKINIT requests.

Description

The MIT krb5 Security Advisory 2011-003 states:

"The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable to a double-free condition if the Public Key Cryptography for Initial Authentication (PKINIT) capability is enabled, resulting in daemon crash or arbitrary code execution (which is believed to be difficult)."

Impact

An unauthenticated remote attacker can induce a double-free event, causing the KDC daemon to crash (denial of service), or to execute arbitrary code.

Solution

Apply a Patch
Upcoming releases in the krb5-1.7, krb5-1.8, and krb5-1.9 series will contain fixes. In the meantime, apply the following patch:

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 46b5fa1..464cb6e 100644
- --- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
                    pad->contents = td[size]->data;
                    pad->length = td[size]->length;
                    pa[size] = pad;
+                    td[size]->data = NULL;
+                    td[size]->length = 0;
                }
            krb5_free_typed_data(kdc_context, td);
        }

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
MIT Kerberos Development TeamAffected15 Mar 201109 Mar 2011
Red Hat, Inc.Affected-29 Mar 2011
UbuntuAffected-29 Mar 2011
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This issue was discovered by Cameron Meadors of Red Hat.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2011-0284
  • Date Public: 15 Mar 2011
  • Date First Published: 15 Mar 2011
  • Date Last Updated: 29 Mar 2011
  • Document Revision: 12

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.