Red Hat Bugzilla – Bug 545002
CVE-2009-3295 krb5: KDC denial of service in cross-realm referral processing (MITKRB5-SA-2009-003)
Last modified: 2010-01-11 07:46:24 EST
A null pointer dereference can occur in an error condition in the KDC
cross-realm referral processing code in MIT krb5-1.7. This can cause
the KDC to crash.
An unauthenticated remote attacker could cause the KDC to crash due to
a null pointer dereference. Legitimate requests can also cause this
crash to occur.
Upstream advisory (not available yet):
Upstream patch (not available yet):
Issue independently discovered by Radoslav Bodo, Jakob Haufe,
and Jorgen Wahlsten.
Ok, great. Thanks for the clarification.
As an aside, is there a reason why we disagree with the upstream advisory claiming the CVSSv2 is AV:N/AC:L/Au:N/C:N/I:N/A:C (we're claiming A:P)? If the KDC crashes, and we have no mechanism in place to restart it automatically, we should probably use A:C as well.
As per upstream, only Kerberos 1.7 contains the vulnerable functions so this does not affect any version of Red Hat Enterprise Linux. This does affect Fedora 12 and rawhide.
For #8; we use the CVSSv2 guidelines where Complete is defined in terms of the impact to the "system". So in order for an issue to be marked A:C it would have to break the availability of the complete OS, not just your krb5 service. This makes sense, as obviously a complete system crash is a worse impact than just one of your services crashing.
Oracle created their own "Partial+" for this very case, see http://www.oracle.com/technology/deploy/security/cpu/cvssscoringsystem.htm
[Note that if you have C:C/I:C (due to being a code execution as root issue) then this implies A:C as root commands could easily cause a complete system DoS]
Upstream reported this issue was also reported publicly:
Upstream advisory should be released on 20091228.
Public now via:
krb5-1.7-15.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.