Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   Kerberos Vendors:   MIT
Kerberos KDC Null Pointer Dereference in Cross-Realm Referral Processing Lets Remote Authenticated Users Deny Service
SecurityTracker Alert ID:  1023392
SecurityTracker URL:
CVE Reference:   CVE-2009-3295   (Links to External Site)
Updated:  Jan 6 2010
Original Entry Date:  Dec 29 2009
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): krb5-1.7
Description:   A vulnerability was reported in Kerberos. A remote authenticated user can cause denial of service conditions.

A remote authenticated user can send specially crafted data to trigger a null pointer dereference in the kdc_err() function of the KDC cross-realm referral processing code (do_tgs_req.c) and cause the target KDC to crash.

Jeff Blaine, Radoslav Bodo, Jakob Haufe, and Jorgen Wahlsten separately reported this vulnerability.

Impact:   A remote authenticated user can cause the target KDC to crash.
Solution:   The vendor has issued a fix (krb5-1.7.1; pending).

A patch is also available at:

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  MITKRB5-SA-2009-003 [CVE-2009-3295] KDC denial of service in cross-realm referral processing

Hash: SHA1


MIT krb5 Security Advisory 2009-003
Original release: 2009-12-28
Last update: 2009-12-28

Topic: KDC denial of service in cross-realm referral processing

KDC denial of service in cross-realm referral processing


CVSSv2 Base Score:      7.8

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: None
Integrity Impact:       None
Availability Impact:    Complete

CVSSv2 Temporal Score:  6.1

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed


A null pointer dereference can occur in an error condition in the KDC
cross-realm referral processing code in MIT krb5-1.7.  This can cause
the KDC to crash.

This is an implementation vulnerability in MIT krb5, and is not a
vulnerability in the Kerberos protocol.


An unauthenticated remote attacker could cause the KDC to crash due to
a null pointer dereference.  Legitimate requests can also cause this
crash to occur.


* MIT krb5 release krb5-1.7.  Earlier releases did not contain the
  functionality implemented by the vulnerable code.


* Upgrade: The upcoming krb5-1.7.1 release will contain a fix for this

* Workaround: Disable the realm referral capability by using the
  "no_host_referral = *" setting, e.g.

                no_host_referral = *


                EXAMPLE.COM = {
                        # ... other configuration settings ...
                        no_host_referral = *

* Apply the patch:

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 298e132..12180ff 100644
- --- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1158,7 +1158,7 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
             if (retval) {
                 /* no match found */
- -                kdc_err(kdc_context, retval, 0);
+                kdc_err(kdc_context, retval, "unable to find realm of host");
                 goto cleanup;
             if (realms == 0) {
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
index efff818..ef3735a 100644
- --- a/src/lib/kadm5/logger.c
+++ b/src/lib/kadm5/logger.c
@@ -188,6 +188,9 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list
     char	*cp;
     char	*syslogp;
+    if (whoami == NULL || format == NULL)
+        return;
     /* Make the header */
     snprintf(outbuf, sizeof(outbuf), "%s: ", whoami);

  This patch is also available at

  A PGP-signed patch is available at


This announcement is posted at:

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

The main MIT Kerberos web page is at:


CVE: CVE-2009-3295


This issue was independently discovered by Jeff Blaine, Radoslav Bodo,
Jakob Haufe, and Jorgen Wahlsten.


The MIT Kerberos Team security contact address is
<>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/D9058C24 2009-01-26 [expires: 2010-02-01]
uid     MIT Kerberos Team Security Contact <>


A null pointer dereference exists in new functionality added in
krb5-1.7.  This new functionality produces cross-realm referrals when
a client requests a ticket for a host-based service principal name.
Under certain error conditions, the function prep_reprocess_req() in
do_tgs_req.c calls the kdc_err() function with a null pointer as the
format string, which other code proceeds to dereference, causing a
crash on most platforms.


2009-12-28	original release

Copyright (C) 2009 Massachusetts Institute of Technology
Version: GnuPG v1.4.8 (SunOS)


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC