search menu icon-carat-right cmu-wordmark

CERT Coordination Center


MIT KDC vulnerable to double-free when PKINIT enabled

Vulnerability Note VU#943220

Original Release Date: 2011-03-15 | Last Revised: 2011-03-29

Overview

The KDC in releases krb5-1.7 and later are vulnerable to a double-free vulnerability if they are configured to respond to PKINIT requests.

Description

The MIT krb5 Security Advisory 2011-003 states:

"The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable to a double-free condition if the Public Key Cryptography for Initial Authentication (PKINIT) capability is enabled, resulting in daemon crash or arbitrary code execution (which is believed to be difficult)."

Impact

An unauthenticated remote attacker can induce a double-free event, causing the KDC daemon to crash (denial of service), or to execute arbitrary code.

Solution

Apply a Patch
Upcoming releases in the krb5-1.7, krb5-1.8, and krb5-1.9 series will contain fixes. In the meantime, apply the following patch:

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 46b5fa1..464cb6e 100644
- --- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
                    pad->contents = td[size]->data;
                    pad->length = td[size]->length;
                    pa[size] = pad;
+                    td[size]->data = NULL;
+                    td[size]->length = 0;
                }
            krb5_free_typed_data(kdc_context, td);
        }

Vendor Information

943220
Expand all

MIT Kerberos Development Team

Notified:  March 15, 2011 Updated:  March 09, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc.

Updated:  March 29, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://rhn.redhat.com/errata/RHSA-2011-0356.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ubuntu

Updated:  March 29, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.ubuntu.com/usn/usn-1088-1

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This issue was discovered by Cameron Meadors of Red Hat.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2011-0284
Date Public: 2011-03-15
Date First Published: 2011-03-15
Date Last Updated: 2011-03-29 12:22 UTC
Document Revision: 12

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.