Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   kadmind (please use Kerberos) Vendors:   MIT
Kerberos kadmind Memory Error Lets Remote Authenticated Users Deny Service
SecurityTracker Alert ID:  1023821
SecurityTracker URL:
CVE Reference:   CVE-2010-0629   (Links to External Site)
Updated:  Apr 7 2010
Original Entry Date:  Apr 6 2010
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): krb5-1.5 through krb5-1.6.3
Description:   A vulnerability was reported in Kerberos kadmind. A remote authenticated user can cause denial of service conditions.

A remote authenticated user can send a specially crafted kadmin API version number or other data to cause the target service to reference previously freed memory and crash.

Using a newer version of the kadmin protocol than the server supports can trigger this flaw.

Sol Jerome reported this vulnerability.

Impact:   A remote authenticated user can cause the target service to crash.
Solution:   The vendor has issued a fix (krb5-1.7).

A patch is also available at:

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 7 2010 (Red Hat Issues Fix) Kerberos kadmind Memory Error Lets Remote Authenticated Users Deny Service
Red Hat has issued a fix for Red Hat Enterprise Linux 5.
Sep 29 2010 (Sun Issues Fix) Kerberos kadmind Memory Error Lets Remote Authenticated Users Deny Service
Sun has issued a fix for OpenSolaris.

 Source Message Contents

Subject:  MITKRB5-SA-2010-003 [CVE-2010-0629] denial of service in kadmind in older krb5 releases

Hash: SHA1


MIT krb5 Security Advisory 2010-003
Original release: 2010-04-06
Last update: 2010-04-06

Topic: denial of service in kadmind in older krb5 releases

denial of service in kadmind in older krb5 releases


CVSSv2 Base Score:      6.8

Access Vector:          Network
Access Complexity:      Low
Authentication:         Single
Confidentiality Impact: None
Integrity Impact:       None
Availability Impact:    Complete

CVSSv2 Temporal Score:  5.3

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed


In previous MIT krb5 releases krb5-1.5 through krb5-1.6.3, the
Kerberos administration daemon (kadmind) can crash due to referencing
freed memory.  A legitimate user can trigger this crash by using a
newer version of the kadmin protocol than the server supports.

This is an implementation vulnerability in MIT krb5, and not a
vulnerability in the Kerberos protocol.  This vulnerability is not
present in modern releases of MIT krb5.


An authenticated remote attacker could crash the Kerberos
administration daemon (kadmind), causing a denial of service.


* kadmind in MIT releases krb5-1.5 through krb5-1.6.3.


* The krb5-1.7 release already contains a fix for this vulnerability.

* Apply the patch below.  The corresponding SVN revision (r22427) in
  our source tree contains additional use-after-free bugfixes; we
  believe that it is impractical for an attacker to induce execution
  of these sections of code.

Index: src/kadmin/server/server_stubs.c
- --- src/kadmin/server/server_stubs.c	(revision 22426)
+++ src/kadmin/server/server_stubs.c	(revision 22427)
@@ -1628,7 +1628,7 @@
      if (ret.code != 0)
- -	 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+	 errmsg = krb5_get_error_message(NULL, ret.code);
 	 errmsg = "success";

  This patch is also available at

  A PGP-signed patch is available at


This announcement is posted at:

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

The main MIT Kerberos web page is at:

This bug has been public for a while at

but the security consequence has not been previously widely known.
The security consequence was first made public in a limited context in
the Debian bug found at


CVE: CVE-2010-0629


Thanks to Sol Jerome for reporting the kadmind crash to Debian.


The MIT Kerberos Team security contact address is
<>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid     MIT Kerberos Team Security Contact <>


MIT krb5 bug #5998 contains the earliest description of this bug.
Debian bug #567052 (referenced above) contains the first public
indication of the security consequence of this bug.  Under error
conditions, such as receiving an invalid kadmin API version number,
the kadmin RPC stub init_2_svc() attempts to call
krb5_get_error_message() on a krb5_context handle that is in a
previously-freed kadm5_server_handle_t object.  This typically results
in a read operation on an invalid pointer, causing a crash and denial
of service.  Releases prior to krb5-1.5 did not use extended error
information in this way, and therefore do not include the vulnerable

The most likely cause of a crash is a legitimate user running a kadmin
client from the krb5-1.8 or newer release, which sends an API version
number not recognized by earlier releases.


2010-04-06      original release

Copyright (C) 2010 Massachusetts Institute of Technology
Version: GnuPG v1.4.8 (SunOS)


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC