A denial of service flaw was found in the way krb5kdc daemon of the Kerberos 5 Key Distribution Center (KDC) processed certain TGS (Ticket Granting Service) requests. A remote attacker, with ability to authenticate as a principal in the KDC's realm, could use this flaw to cause krb5kdc daemon crash (due NULL pointer dereference) via TGS-REQ request with unknown service principal. References: [1] http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-007.txt (not public yet) [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1530 (not public yet) Relevant upstream patch: [3] http://web.mit.edu/kerberos/advisories/2011-007-patch.txt (not public yet)
Acknowledgements: Red Hat would like to thank the MIT Kerberos project for reporting this issue.
In krb5-1.3 and krb5-1.6 (shipped with Red Hat Enterprise Linux 4 and 5), the interface to find_alternate_tgs() is different than krb5-1.9 (shipped with Red Hat Enterprise Linux 6). It uses two parameters called "more" and "nprincs". Just after the "tgt_again" label there is a conditional that checks nprincs != 1. Since firstpass == 0 now, the error handling portion of that block calls krb5_db_free_principal() on line 185, but nprincs == 0 prevents any null dereferences in there. Relevant portions of code (from rhel-5): 159 tgt_again: 160 if (more) { 161 status = "NON_UNIQUE_PRINCIPAL"; 162 errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; 163 goto cleanup; 164 } else if (nprincs != 1) { 165 /* .... 176 if (!tgs_1 || server_1->length != tgs_1->length || 177 memcmp(server_1->data, tgs_1->data, tgs_1->length)) { 178 krb5_db_free_principal(kdc_context, &server, nprincs); 179 find_alternate_tgs(request, &server, &more, &nprincs); 180 firstpass = 0; 181 goto tgt_again; 182 } 183 } 184 } 185 krb5_db_free_principal(kdc_context, &server, nprincs); 186 status = "UNKNOWN_SERVER"; 187 errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; 188 goto cleanup; 189 } Secondly the server variable in rhel-4 and rhel-5 is not defined as a pointer to a structure, but rather a stack-base struct variable. Therefore: This issue does not affect the version of krb5 as shipped with Red Hat Enterprise Linux 4 and 5. This issue affects the version of krb5 as shipped with Red Hat Enterprise Linux 6. This issue affects the version of krb5 shipped with Fedora release of 15 and 16.
External References: http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2011-007.txt
Statement: Not vulnerable. This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 4 and 5.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1790 https://rhn.redhat.com/errata/RHSA-2011-1790.html
krb5-1.9.2-4.fc15 is heading to Fedora 15 to fix this flaw, and krb5-1.9.2-4.fc16 to Fedora 16.