545002 – (CVE-2009-3295) CVE-2009-3295 krb5: KDC denial of service in cross-realm referral processing (MITKRB5-SA-2009-003)

Bug 545002 (CVE-2009-3295) - CVE-2009-3295 krb5: KDC denial of service in cross-realm referral processing (MITKRB5-SA-2009-003)

Summary: CVE-2009-3295 krb5: KDC denial of service in cross-realm referral processing ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2009-3295
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://web.mit.edu/kerberos/advisorie...
Whiteboard:
Depends On:	553031
Blocks:
TreeView+	depends on / blocked

Reported:	2009-12-07 09:57 UTC by Jan Lieskovsky
Modified:	2021-11-12 20:01 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2010-01-11 12:46:24 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Lieskovsky 2009-12-07 09:57:22 UTC

A null pointer dereference can occur in an error condition in the KDC
cross-realm referral processing code in MIT krb5-1.7.  This can cause
the KDC to crash.

An unauthenticated remote attacker could cause the KDC to crash due to
a null pointer dereference.  Legitimate requests can also cause this
crash to occur.

Upstream advisory (not available yet):
--------------------------------------
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-003.txt

Upstream patch (not available yet):
-----------------------------------
http://web.mit.edu/kerberos/advisories/2009-003-patch.txt

Credit:
-------
Issue independently discovered by Radoslav Bodo, Jakob Haufe,
and Jorgen Wahlsten.

Comment 8 Vincent Danen 2009-12-10 17:07:14 UTC

Ok, great.  Thanks for the clarification.

As an aside, is there a reason why we disagree with the upstream advisory claiming the CVSSv2 is AV:N/AC:L/Au:N/C:N/I:N/A:C (we're claiming A:P)?  If the KDC crashes, and we have no mechanism in place to restart it automatically, we should probably use A:C as well.

Comment 9 Vincent Danen 2009-12-10 17:18:04 UTC

As per upstream, only Kerberos 1.7 contains the vulnerable functions so this does not affect any version of Red Hat Enterprise Linux.  This does affect Fedora 12 and rawhide.

Comment 10 Mark J. Cox 2009-12-11 08:50:59 UTC

For #8; we use the CVSSv2 guidelines where Complete is defined in terms of the impact to the "system".   So in order for an issue to be marked A:C it would have to break the availability of the complete OS, not just your krb5 service.  This makes sense, as obviously a complete system crash is a worse impact than just one of your services crashing.

Oracle created their own "Partial+" for this very case, see http://www.oracle.com/technology/deploy/security/cpu/cvssscoringsystem.htm

[Note that if you have C:C/I:C (due to being a code execution as root issue) then this implies A:C as root commands could easily cause a complete system DoS]

Comment 12 Tomas Hoger 2009-12-24 12:01:31 UTC

Upstream reported this issue was also reported publicly:
  http://mailman.mit.edu/pipermail/krbdev/2009-December/008419.html

Upstream advisory should be released on 20091228.

Comment 13 Tomas Hoger 2009-12-29 15:01:44 UTC

Public now via:
  http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2009-003.txt

Comment 15 Fedora Update System 2010-01-05 22:53:06 UTC

krb5-1.7-15.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.