Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   Kerberos Vendors:   MIT
Kerberos SPNEGO GSS-API Mechanism Flaw Lets Remote Users Deny Service
SecurityTracker Alert ID:  1023733
SecurityTracker URL:
CVE Reference:   CVE-2010-0628   (Links to External Site)
Date:  Mar 24 2010
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): krb5-1.7 and later
Description:   A vulnerability was reported in Kerberos. A remote user can cause denial of service conditions.

The fix described for CVE-2009-0845 in conjunction with new functionality introduced in krb5-1.7 created a vulnerability. A remote user can send specially crafted data to cause the target GSS-API application (e.g., kadmind) to crash.

The vulnerability resides in the spnego_gss_accept_sec_context() function in 'src/lib/gssapi/spnego/spnego_mech.c'.

Nalin Dahyabhai, Jan iankko Lieskovsky, and Zbysek Mraz (all from Red Hat) reported this vulnerability.

Impact:   A remote user can cause the target application to crash.
Solution:   The vendor has issued a patch, available at:

The fix will be included in the upcoming krb5-1.7.2 and krb5-1.8.1 releases.

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  MITKRB5-SA-2010-002 denial of service in SPNEGO [CVE-2010-0628 VU#839413]

Hash: SHA1


MIT krb5 Security Advisory 2010-002
Original release: 2010-03-23
Last update: 2010-03-23

Topic: denial of service in SPNEGO

denial of service in SPNEGO


CVSSv2 Base Score:      7.8

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: None
Integrity Impact:       None
Availability Impact:    Complete

CVSSv2 Temporal Score:  6.1

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed


In MIT krb5 releases krb5-1.7 and later, the SPNEGO GSS-API mechanism
can experience an assertion failure when receiving certain invalid
messages. This can cause a GSS-API application to crash.

This is an implementation vulnerability in MIT krb5, and not a
vulnerability in the Kerberos protocol.


An unauthenticated remote attacker could cause a GSS-API application,
including the Kerberos administration daemon (kadmind) to crash.


* kadmind in MIT releases krb5-1.7 and later

* FTP daemon in MIT releases krb5-1.7 and later

* Third-party software using the GSS-API library from MIT krb5
  releases krb5-1.7 and later

* MIT releases prior to krb5-1.7 did not contain the vulnerable code.


* The upcoming krb5-1.7.2 and krb5-1.8.1 releases will contain fixes
  for this vulnerability.

* Apply the patch available at

  A PGP-signed patch is available at


This announcement is posted at:

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

The main MIT Kerberos web page is at:


CVE: CVE-2010-0628

CERT: VU#839413


Thanks to Nalin Dahyabhai, Jan iankko Lieskovsky, and Zbysek Mraz (all
from Red Hat) for discovering and reporting this vulnerability.


The MIT Kerberos Team security contact address is
<>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid     MIT Kerberos Team Security Contact <>


A patch to fix CVE-2009-0845 interacted poorly with new functionality
introduced in krb5-1.7.  This allowed an error condition to occur
where receiving an invalid packet could cause an assertion failure,
crashing the program and causing denial of service.

When the spnego_gss_accept_sec_context() function (in
src/lib/gssapi/spnego/spnego_mech.c) receives an invalid packet during
the beginning of a GSS-API protocol exchange, it can set some internal
state that tells it to send an error token without first creating a
context handle, but some subsequently executed code contains a call to
assert() that requires that the context handle be non-null.


2010-03-23      original release

Copyright (C) 2010 Massachusetts Institute of Technology
Version: GnuPG v1.4.8 (SunOS)


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC