Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   Kerberos Vendors:   MIT
Kerberos Null Pointer Dereference in process_tgs_req() Lets Remote Authenticated Users Deny Service
SecurityTracker Alert ID:  1026374
SecurityTracker URL:
CVE Reference:   CVE-2011-1530   (Links to External Site)
Date:  Dec 6 2011
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): krb5-1.9 and later
Description:   A vulnerability was reported in Kerberos. A remote authenticated user can cause denial of service conditions.

A remote authenticated user (principal in the target KDC's domain) can send specially crafted data to trigger a null pointer dereference in the Ticket Granting Service (TGS) request processing and cause the target KDC to crash.

The vulnerability resides in the process_tgs_req() function.

Simo Sorce reported this vulnerability.

Impact:   A remote authenticated user can cause the target KDC to crash.
Solution:   The vendor has issued a patch, available at:

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Dec 7 2011 (Red Hat Issues Fix) Kerberos Null Pointer Dereference in process_tgs_req() Lets Remote Authenticated Users Deny Service
Red Hat has issued a fix for Red Hat Enterprise Linux 6.

 Source Message Contents

Subject:  MITKRB5-SA-2011-007 KDC null pointer dereference in TGS handling [CVE-2011-1530]

Hash: SHA1


MIT krb5 Security Advisory 2011-007
Original release: 2011-12-06
Last update: 2011-12-06

Topic: KDC null pointer dereference in TGS handling

KDC null pointer dereference in TGS handling

CVSSv2 Vector:          AV:N/AC:L/Au:S/C:N/I:C/A:C/E:H/RL:OF/RC:C

CVSSv2 Base Score:      6.8

Access Vector:          Network
Access Complexity:      Low
Authentication:         Single
Confidentiality Impact: None
Integrity Impact:       None
Availability Impact:    Complete

CVSSv2 Temporal Score:  5.9

Exploitability:         High
Remediation Level:      Official Fix
Report Confidence:      Confirmed


In releases krb5-1.9 and later, the KDC can crash due to a null
pointer dereference in code that handles TGS (Ticket Granting Service)
requests.  The trigger condition is trivial to produce using
unmodified client software, but requires the ability to authenticate
as a principal in the KDC's realm.


An authenticated remote attacker can crash a KDC via null pointer


* The KDC in krb5-1.9 and later is vulnerable.  Earlier releases
  predate the internal interface changes that led to this


* Workaround: restart the KDC when it crashes, possibly using an
  automated monitoring process.

* Apply the patch:

diff --git a/src/kdc/ b/src/kdc/
index f46cad3..102fbaa 100644
- --- a/src/kdc/
+++ b/src/kdc/
@@ -67,6 +67,7 @@ check-unix:: rtest
 	$(RUNPYTEST) $(srcdir)/ $(PYTESTFLAGS)
+	$(RUNPYTEST) $(srcdir)/ $(PYTESTFLAGS)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index c169c54..840a2ef 100644
- --- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -243,7 +243,8 @@ tgt_again:
                     if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
                         errcode = find_alternate_tgs(request, &server);
                         firstpass = 0;
- -                        goto tgt_again;
+                        if (errcode == 0)
+                            goto tgt_again;
                 status = "UNKNOWN_SERVER";
diff --git a/src/kdc/ b/src/kdc/
new file mode 100644
index 0000000..1760bcd
- --- /dev/null
+++ b/src/kdc/
@@ -0,0 +1,8 @@
+from k5test import *
+realm = K5Realm(start_kadmind=False, create_host=False)
+output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
+if 'not found in Kerberos database' not in output:
+    fail('TGT lookup for empty realm failed in unexpected way')
+success('Empty tgt lookup.')

  This patch is also available at

  A PGP-signed patch is available at


This announcement is posted at:

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

The main MIT Kerberos web page is at:


CVE: CVE-2011-1530


Simo Sorce discovered this vulnerability.


The MIT Kerberos Team security contact address is
<>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid     MIT Kerberos Team Security Contact <>


The process_tgs_req() function in the KDC has logic that attempts to
find an alternative service principal if the service principal in the
client's TGS-REQ is unknown.  If the find_alternate_tgs() helper
function returns an error that is not KRB5_KDB_NOENTRY, it leaves the
server variable holding a null pointer.  The process_tgs_req()
function improperly ignores that error, and proceeds to call functions
that dereference the null pointer.

Prior to krb5-1.9, the krb5_db_get_principal() function and related
interfaces had output parameters "more" and "nprincs".  The krb5-1.9
release includes changes to these interfaces so that they no longer
have those outputs.  Prior to krb5-1.9, the find_alternate_tgs()
function in the KDC had a void return type, and indicated failure by
setting its "more" and "nprincs" outputs appropriately.  Its interface
changed in krb5-1.9 to instead return an error code, with
corresponding changes to process_tgs_req(); these changes to
process_tgs_req() were flawed and allow errors other than
KRB5_KDB_NOENTRY to cause a null pointer dereference.

The vulnerable code executes after the KDC authenticates the request,
so an attacker must have first obtained valid initial Kerberos
credentials for the target realm.


2011-12-06      original release

Copyright (C) 2011 Massachusetts Institute of Technology
Version: GnuPG v1.4.8 (SunOS)


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC