Bug 753748 (CVE-2011-1530) - CVE-2011-1530 krb5 (krb5kdc): NULL pointer dereference in the TGS handling (MITKRB5-SA-2011-007)
Summary: CVE-2011-1530 krb5 (krb5kdc): NULL pointer dereference in the TGS handling (M...
Alias: CVE-2011-1530
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 754046 754047
Blocks: 753754
TreeView+ depends on / blocked
Reported: 2011-11-14 11:31 UTC by Jan Lieskovsky
Modified: 2021-02-24 13:46 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-12-06 21:58:33 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1790 0 normal SHIPPED_LIVE Moderate: krb5 security update 2011-12-07 02:25:10 UTC

Description Jan Lieskovsky 2011-11-14 11:31:24 UTC
A denial of service flaw was found in the way krb5kdc daemon of the Kerberos 5 Key Distribution Center (KDC) processed certain TGS (Ticket Granting Service) requests. A remote attacker, with ability to authenticate as a principal in the KDC's realm, could use this flaw to cause krb5kdc daemon crash (due NULL pointer dereference) via TGS-REQ request with unknown service principal.

[1] http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-007.txt (not public yet)
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1530 (not public yet)

Relevant upstream patch:
[3] http://web.mit.edu/kerberos/advisories/2011-007-patch.txt (not public yet)

Comment 6 Jan Lieskovsky 2011-11-14 11:57:26 UTC

Red Hat would like to thank the MIT Kerberos project for reporting this issue.

Comment 10 Huzaifa S. Sidhpurwala 2011-11-17 05:24:10 UTC
In krb5-1.3 and krb5-1.6 (shipped with Red Hat Enterprise Linux 4 and 5), the interface to find_alternate_tgs() is different than krb5-1.9 (shipped with Red Hat Enterprise Linux 6).

It uses two parameters called "more" and "nprincs". Just after the "tgt_again"
label there is a conditional that checks nprincs != 1.
Since firstpass == 0 now, the error handling portion of that block
calls krb5_db_free_principal() on line 185, but nprincs == 0 prevents
any null dereferences in there.

Relevant portions of code (from rhel-5):

    159 tgt_again:
    160     if (more) {
    161 	status = "NON_UNIQUE_PRINCIPAL";
    163 	goto cleanup;
    164     } else if (nprincs != 1) {
    165 	/*

    176 		if (!tgs_1 || server_1->length != tgs_1->length ||
    177 		    memcmp(server_1->data, tgs_1->data, tgs_1->length)) {
    178 		    krb5_db_free_principal(kdc_context, &server, nprincs);
    179 		    find_alternate_tgs(request, &server, &more, &nprincs);
    180 		    firstpass = 0;
    181 		    goto tgt_again;
    182 		}
    183 	    }
    184 	}
    185 	krb5_db_free_principal(kdc_context, &server, nprincs);
    186 	status = "UNKNOWN_SERVER";
    188 	goto cleanup;
    189     }

Secondly the server variable in rhel-4 and rhel-5 is not defined as a pointer to a structure, but rather a stack-base struct variable.


This issue does not affect the version of krb5 as shipped with Red Hat Enterprise Linux 4 and 5. This issue affects the version of krb5 as shipped with Red Hat Enterprise Linux 6.

This issue affects the version of krb5 shipped with Fedora release of 15 and 16.

Comment 11 Vincent Danen 2011-12-06 20:45:07 UTC
External References:


Comment 12 Vincent Danen 2011-12-06 20:46:52 UTC

Not vulnerable. This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 4 and 5.

Comment 13 errata-xmlrpc 2011-12-06 21:31:08 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1790 https://rhn.redhat.com/errata/RHSA-2011-1790.html

Comment 14 Vincent Danen 2011-12-06 21:58:33 UTC
krb5-1.9.2-4.fc15 is heading to Fedora 15 to fix this flaw, and krb5-1.9.2-4.fc16 to Fedora 16.

Note You need to log in before you can comment on or make changes to this bug.