Bug 545002 - (CVE-2009-3295) CVE-2009-3295 krb5: KDC denial of service in cross-realm referral processing (MITKRB5-SA-2009-003)
CVE-2009-3295 krb5: KDC denial of service in cross-realm referral processing ...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 553031
  Show dependency treegraph
Reported: 2009-12-07 04:57 EST by Jan Lieskovsky
Modified: 2010-01-11 07:46 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-01-11 07:46:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2009-12-07 04:57:22 EST
A null pointer dereference can occur in an error condition in the KDC
cross-realm referral processing code in MIT krb5-1.7.  This can cause
the KDC to crash.

An unauthenticated remote attacker could cause the KDC to crash due to
a null pointer dereference.  Legitimate requests can also cause this
crash to occur.

Upstream advisory (not available yet):

Upstream patch (not available yet):

Issue independently discovered by Radoslav Bodo, Jakob Haufe,
and Jorgen Wahlsten.
Comment 8 Vincent Danen 2009-12-10 12:07:14 EST
Ok, great.  Thanks for the clarification.

As an aside, is there a reason why we disagree with the upstream advisory claiming the CVSSv2 is AV:N/AC:L/Au:N/C:N/I:N/A:C (we're claiming A:P)?  If the KDC crashes, and we have no mechanism in place to restart it automatically, we should probably use A:C as well.
Comment 9 Vincent Danen 2009-12-10 12:18:04 EST
As per upstream, only Kerberos 1.7 contains the vulnerable functions so this does not affect any version of Red Hat Enterprise Linux.  This does affect Fedora 12 and rawhide.
Comment 10 Mark J. Cox (Product Security) 2009-12-11 03:50:59 EST
For #8; we use the CVSSv2 guidelines where Complete is defined in terms of the impact to the "system".   So in order for an issue to be marked A:C it would have to break the availability of the complete OS, not just your krb5 service.  This makes sense, as obviously a complete system crash is a worse impact than just one of your services crashing.

Oracle created their own "Partial+" for this very case, see http://www.oracle.com/technology/deploy/security/cpu/cvssscoringsystem.htm

[Note that if you have C:C/I:C (due to being a code execution as root issue) then this implies A:C as root commands could easily cause a complete system DoS]
Comment 12 Tomas Hoger 2009-12-24 07:01:31 EST
Upstream reported this issue was also reported publicly:

Upstream advisory should be released on 20091228.
Comment 13 Tomas Hoger 2009-12-29 10:01:44 EST
Public now via:
Comment 15 Fedora Update System 2010-01-05 17:53:06 EST
krb5-1.7-15.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.