Kerberos SPNEGO GSS-API Mechanism Flaw Lets Remote Users Deny Service
SecurityTracker Alert ID: 1023733|
SecurityTracker URL: http://securitytracker.com/id/1023733
(Links to External Site)
Date: Mar 24 2010
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): krb5-1.7 and later|
A vulnerability was reported in Kerberos. A remote user can cause denial of service conditions.|
The fix described for CVE-2009-0845 in conjunction with new functionality introduced in krb5-1.7 created a vulnerability. A remote user can send specially crafted data to cause the target GSS-API application (e.g., kadmind) to crash.
The vulnerability resides in the spnego_gss_accept_sec_context() function in 'src/lib/gssapi/spnego/spnego_mech.c'.
Nalin Dahyabhai, Jan iankko Lieskovsky, and Zbysek Mraz (all from Red Hat) reported this vulnerability.
A remote user can cause the target application to crash.|
The vendor has issued a patch, available at:|
The fix will be included in the upcoming krb5-1.7.2 and krb5-1.8.1 releases.
The vendor's advisory is available at:
Vendor URL: web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-002.txt (Links to External Site)
|Underlying OS: Linux (Any), UNIX (Any)|
Source Message Contents
Subject: MITKRB5-SA-2010-002 denial of service in SPNEGO [CVE-2010-0628 VU#839413]|
-----BEGIN PGP SIGNED MESSAGE-----
MIT krb5 Security Advisory 2010-002
Original release: 2010-03-23
Last update: 2010-03-23
Topic: denial of service in SPNEGO
denial of service in SPNEGO
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score: 7.8
Access Vector: Network
Access Complexity: Low
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
CVSSv2 Temporal Score: 6.1
Remediation Level: Official Fix
Report Confidence: Confirmed
In MIT krb5 releases krb5-1.7 and later, the SPNEGO GSS-API mechanism
can experience an assertion failure when receiving certain invalid
messages. This can cause a GSS-API application to crash.
This is an implementation vulnerability in MIT krb5, and not a
vulnerability in the Kerberos protocol.
An unauthenticated remote attacker could cause a GSS-API application,
including the Kerberos administration daemon (kadmind) to crash.
* kadmind in MIT releases krb5-1.7 and later
* FTP daemon in MIT releases krb5-1.7 and later
* Third-party software using the GSS-API library from MIT krb5
releases krb5-1.7 and later
* MIT releases prior to krb5-1.7 did not contain the vulnerable code.
* The upcoming krb5-1.7.2 and krb5-1.8.1 releases will contain fixes
for this vulnerability.
* Apply the patch available at
A PGP-signed patch is available at
This announcement is posted at:
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
The main MIT Kerberos web page is at:
Thanks to Nalin Dahyabhai, Jan iankko Lieskovsky, and Zbysek Mraz (all
from Red Hat) for discovering and reporting this vulnerability.
The MIT Kerberos Team security contact address is
<firstname.lastname@example.org>. When sending sensitive information,
please PGP-encrypt it using the following key:
pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid MIT Kerberos Team Security Contact <email@example.com>
A patch to fix CVE-2009-0845 interacted poorly with new functionality
introduced in krb5-1.7. This allowed an error condition to occur
where receiving an invalid packet could cause an assertion failure,
crashing the program and causing denial of service.
When the spnego_gss_accept_sec_context() function (in
src/lib/gssapi/spnego/spnego_mech.c) receives an invalid packet during
the beginning of a GSS-API protocol exchange, it can set some internal
state that tells it to send an error token without first creating a
context handle, but some subsequently executed code contains a call to
assert() that requires that the context handle be non-null.
2010-03-23 original release
Copyright (C) 2010 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)
-----END PGP SIGNATURE-----