The asn1buf_skiptail() function in the MIT Kerberos 5 library does not properly terminate a loop, allowing an unauthenticated, remote attacker to cause a denial of service in a Kerberos Distribution Center (KDC), application server, or Kerberos client.
As described on the MIT Kerberos web site: "Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography." MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions.
Kerberos 5 protocol messages are defined using Abstract Syntax Notation One (ASN.1). The Basic Encoding Rules (BER) describe how to represent the values of ASN.1 types in byte strings. The MIT Kerberos 5 library function asn1buf_skiptail() contains a loop that does not properly check either the end of a buffer or the position of a pointer into the buffer. A specially crafted BER encoding in an ASN.1 sequence can cause asn1buf_skiptail() to enter an infinite loop, resulting in a denial of service. MITKRB5-SA-2004-003 provides further detail:
An unauthenticated, remote attacker could cause a denial of service on a KDC or application server. An attacker who is able to impersonate a KDC or application server may be able to cause a denial of service on Kerberos clients.
Apply a patch
Apply the appropriate patch(es) referenced in MITKRB5-SA-2004-003 or specified by your vendor.
Thanks to Tom Yu and the MIT Kerberos Development Team for reporting this vulnerability and coordinating with vendors. MITKRB5-SA-2004-003 acknowledges Will Fiveash and Nico Williams.
This document was written by Art Manion.
|Date First Published:||2004-09-02|
|Date Last Updated:||2004-09-03 20:22 UTC|