Bug 545002 (CVE-2009-3295)

Summary: CVE-2009-3295 krb5: KDC denial of service in cross-realm referral processing (MITKRB5-SA-2009-003)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kreilly, mjc, nalin, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-003.txt
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-11 12:46:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 553031    
Bug Blocks:    

Description Jan Lieskovsky 2009-12-07 09:57:22 UTC 
A null pointer dereference can occur in an error condition in the KDC
cross-realm referral processing code in MIT krb5-1.7.  This can cause
the KDC to crash.

An unauthenticated remote attacker could cause the KDC to crash due to
a null pointer dereference.  Legitimate requests can also cause this
crash to occur.

Upstream advisory (not available yet):
--------------------------------------
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-003.txt

Upstream patch (not available yet):
-----------------------------------
http://web.mit.edu/kerberos/advisories/2009-003-patch.txt

Credit:
-------
Issue independently discovered by Radoslav Bodo, Jakob Haufe,
and Jorgen Wahlsten.
Comment 8 Vincent Danen 2009-12-10 17:07:14 UTC 
Ok, great.  Thanks for the clarification.

As an aside, is there a reason why we disagree with the upstream advisory claiming the CVSSv2 is AV:N/AC:L/Au:N/C:N/I:N/A:C (we're claiming A:P)?  If the KDC crashes, and we have no mechanism in place to restart it automatically, we should probably use A:C as well.
Comment 9 Vincent Danen 2009-12-10 17:18:04 UTC 
As per upstream, only Kerberos 1.7 contains the vulnerable functions so this does not affect any version of Red Hat Enterprise Linux.  This does affect Fedora 12 and rawhide.
Comment 10 Mark J. Cox 2009-12-11 08:50:59 UTC 
For #8; we use the CVSSv2 guidelines where Complete is defined in terms of the impact to the "system".   So in order for an issue to be marked A:C it would have to break the availability of the complete OS, not just your krb5 service.  This makes sense, as obviously a complete system crash is a worse impact than just one of your services crashing.

Oracle created their own "Partial+" for this very case, see http://www.oracle.com/technology/deploy/security/cpu/cvssscoringsystem.htm

[Note that if you have C:C/I:C (due to being a code execution as root issue) then this implies A:C as root commands could easily cause a complete system DoS]
Comment 12 Tomas Hoger 2009-12-24 12:01:31 UTC 
Upstream reported this issue was also reported publicly:
  http://mailman.mit.edu/pipermail/krbdev/2009-December/008419.html

Upstream advisory should be released on 20091228.
Comment 13 Tomas Hoger 2009-12-29 15:01:44 UTC 
Public now via:
  http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2009-003.txt
Comment 15 Fedora Update System 2010-01-05 22:53:06 UTC 
krb5-1.7-15.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.