When the MIT krb5 KDC receives certain Kerberos TGS request messages, it may dereference an uninitialized pointer while processing authorization data, causing a crash, or in rare cases, unauthorized information disclosure, ticket modification, or execution of arbitrary code. The crash may be triggered by legitimate requests. This is an implementation vulnerability in MIT krb5, and not a vulnerability in the Kerberos protocol. An authenticated remote attacker can cause the MIT krb5 KDC process to crash, resulting in a denial of service. In rare cases, the attacker can theoretically induce unauthorized information disclosure, ticket modification, or the execution of arbitrary code. The denial of service may be triggered by legitimate requests produced by Windows Active Directory clients. No exploit code is known to exist that would cause information disclosure, ticket modification, or arbitrary code execution. This vulnerability only exists in krb5-1.8 through to version 1.8.3; the affected code did not exist in earlier versions of krb5. It has been corrected in the 1.8.4 release. The patch is available at: http://web.mit.edu/kerberos/advisories/2010-006-patch.txt The upstream advisory will be available at http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-006.txt Acknowledgements: Red Hat would like to thank the MIT Kerberos Team for reporting this issue. Upstream acknowledges Mike Roszkowski as the original reporter.
This does not affect Red Hat Enterprise Linux 3, 4, or 5, nor does it affect Fedora (all provide versions of krb5 1.7.x or earlier, which does not contain the vulnerable code). It does affect Red Hat Enterprise Linux 6.
The upstream provided patch: diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index b5de64d..cc44e29 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -495,7 +495,7 @@ merge_authdata (krb5_context context, krb5_boolean copy, krb5_boolean ignore_kdc_issued) { - size_t i, nadata = 0; + size_t i, j, nadata = 0; krb5_authdata **authdata = *out_authdata; if (in_authdata == NULL || in_authdata[0] == NULL) @@ -529,16 +529,16 @@ merge_authdata (krb5_context context, in_authdata = tmp; } - for (i = 0; in_authdata[i] != NULL; i++) { + for (i = 0, j = 0; in_authdata[i] != NULL; i++) { if (ignore_kdc_issued && is_kdc_issued_authdatum(context, in_authdata[i], 0)) { free(in_authdata[i]->contents); free(in_authdata[i]); } else - authdata[nadata + i] = in_authdata[i]; + authdata[nadata + j++] = in_authdata[i]; } - authdata[nadata + i] = NULL; + authdata[nadata + j] = NULL; free(in_authdata);
Public now via: http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2010-006.txt
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0863 https://rhn.redhat.com/errata/RHSA-2010-0863.html
Statement: This issue did not affect Red Hat Enterprise Linux 3, 4, or 5. It was addressed in Red Hat Enterprise Linux 6 via https://rhn.redhat.com/errata/RHSA-2010-0863.html.