In MIT krb5 releases 1.16 and later, an unauthenticated attacker can cause a null dereference in the KDC by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST.
Fixed in fedora: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CCCYLGJLCVVNJVOQKUGKXR2SNQIPFBFS/
References: https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562
On ec_verify() function, when armor key is NULL it should return ENOENT, however due to a logic error the return value is overwritten by 0 in case k5memdup0() call is executed successfully before the check for armor key is executed. This leads to a NULL pointer dereference when further handling the armor key. An attacker may leverage this by sending crafted requests to KDC server, leading it to crash and causing a DoS.
Created krb5 tracking bugs for this issue: Affects: fedora-all [bug 1992011]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3576 https://access.redhat.com/errata/RHSA-2021:3576
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-36222