SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Security)  >   Kerberos Vendors:   MIT
MIT Kerberos KDC Double Free in perpare_error_as() Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1025216
SecurityTracker URL:  http://securitytracker.com/id/1025216
CVE Reference:   CVE-2011-0284   (Links to External Site)
Date:  Mar 15 2011
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): krb5-1.7 and later
Description:   A vulnerability was reported in Kerberos. A remote user can execute arbitrary code on the target system.

A remote user can send specially crafted data to trigger a double-free in the Key Distribution Center (KDC) in the perpare_error_as() function and potentially execute arbitrary code on the target system.

Systems with PKINIT enabled are affected.

Third-party pre-authentication plugins that generate TYPED-DATA in the e-data field of a KRB-ERROR message may also be affected.

Cameron Meadors of Red Hat reported this vulnerability.

Impact:   A remote user can cause the KDC daemon to crash or execute arbitrary code.
Solution:   The vendor has issued a patch, available at:

http://web.mit.edu/kerberos/advisories/2011-003-patch.txt

The vendor's advisory is available at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-003.txt

Vendor URL:  web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-003.txt (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 16 2011 (Red Hat Issues Fix) MIT Kerberos KDC Double Free in perpare_error_as() Lets Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has issued a fix for Red Hat Enterprise Linux 6.



 Source Message Contents

Date:  Tue, 15 Mar 2011 14:07:13 -0400
Subject:  MITKRB5-SA-2011-003 [CVE-2011-0284] KDC double-free when PKINIT enabled

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2011-003

MIT krb5 Security Advisory 2011-003
Original release: 2011-03-15
Last update: 2011-03-15

Topic: KDC vulnerable to double-free when PKINIT enabled

CVE-2011-0284

CVSSv2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score:      9.3

Access Vector:          Network
Access Complexity:      Medium
Authentication:         None
Confidentiality Impact: Complete
Integrity Impact:       Complete
Availability Impact:    Complete

CVSSv2 Temporal Score:  7.3

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

SUMMARY
=======

The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable
to a double-free condition if the Public Key Cryptography for Initial
Authentication (PKINIT) capability is enabled, resulting in daemon
crash or arbitrary code execution (which is believed to be difficult).

IMPACT
======

An unauthenticated remote attacker can induce a double-free event,
causing the KDC daemon to crash (denial of service), or to execute
arbitrary code.  Exploiting a double-free event to execute arbitrary
code is believed to be difficult.

AFFECTED SOFTWARE
=================

The KDC in releases krb5-1.7 and later are vulnerable, if they are
configured to respond to PKINIT requests.  Earlier releases did not
contain the vulnerable code.  Additionally, third-party
preauthentication plugins that generate TYPED-DATA in the e-data field
of a KRB-ERROR message may be vulnerable.

FIXES
=====

* Upcoming releases in the krb5-1.7, krb5-1.8, and krb5-1.9 series
  will contain fixes.

* Apply the following patch:

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 46b5fa1..464cb6e 100644
- --- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
                     pad->contents = td[size]->data;
                     pad->length = td[size]->length;
                     pa[size] = pad;
+                    td[size]->data = NULL;
+                    td[size]->length = 0;
                 }
             krb5_free_typed_data(kdc_context, td);
         }

  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2011-003-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-003-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-003.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2011-0284
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0284

ACKNOWLEDGMENTS
===============

This issue was discovered by Cameron Meadors of Red Hat.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS
=======

In do_as_req.c, the function perpare_error_as() attempts to decode the
e_data field both as preauth data and as typed data.  If the e_data
contents are typed data, they are converted to preauth data.  This
conversion can free pointers to the typed data items, and free them
again when cleaning up the preauth data during function exit.

REVISION HISTORY
================

2011-03-15      original release

Copyright (C) 2011 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk1/qSUACgkQSO8fWy4vZo7g3gCfTiJoaxuB3yVIGKOkttvFJg2z
J2wAoPuSZ56AJ1ugZP0YzObbWVq4cWRt
=BJJb
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC