The MIT Kerberos 5 library does not securely deallocate heap memory when decoding ASN.1 structures, resulting in double-free vulnerabilities. An unauthenticated, remote attacker could execute arbitrary code on a KDC server, which could compromise an entire Kerberos realm. An attacker may also be able to execute arbitrary code on Kerberos clients, or cause a denial of service on KDCs or clients.
As described on the MIT Kerberos web site: "Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography." MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions.
Kerberos 5 protocol messages are defined using Abstract Syntax Notation One (ASN.1). When ASN.1 decoding functions in the MIT Kerberos 5 library handle error conditions, the functions free() a memory reference and return the reference to the calling function. In some cases, error handling code in the calling functions may free() the memory reference again, resulting in a double-free vulnerability. MITKRB5-SA-2004-002 explains in more detail:
An unauthenticated, remote attacker could execute arbitrary code on a KDC server. This could allow an attacker to gain the master secret for a Kerberos realm, leading to compromise of the entire realm. An attacker who is able to impersonate a KDC or application server may be able to execute arbitrary code on Kerberos clients. An attacker may also be able to crash a KDC or client, causing a denial of service.
Apply a patch
Apple Computer Inc. Affected
Fedora Legacy Project Affected
MIT Kerberos Development Team Affected
Red Hat Inc. Affected
Trustix Secure Linux Affected
Cisco Systems Inc. Not Affected
CyberSafe Not Affected
Hitachi Not Affected
VanDyke Software Inc. Not Affected
WRQ Not Affected
Cray Inc. Unknown
EMC Corporation Unknown
Guardian Digital Inc. Unknown
Heimdal Kerberos Project Unknown
Hewlett-Packard Company Unknown
Ingrian Networks Unknown
Juniper Networks Unknown
KTH Kerberos Unknown
Microsoft Corporation Unknown
MontaVista Software Unknown
NEC Corporation Unknown
Openwall GNU/*/Linux Unknown
SSH Communications Security Unknown
Sony Corporation Unknown
SuSE Inc. Unknown
Sun Microsystems Inc. Unknown
Wind River Systems Inc. Unknown
Thanks to Tom Yu and the MIT Kerberos Development Team for reporting this vulnerability and coordinating with vendors. MITKRB5-SA-2004-002 acknowledges Will Fiveash and Nico Williams.
This document was written by Art Manion.
|Date First Published:||2004-09-02|
|Date Last Updated:||2005-05-10 16:02 UTC|