Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   Kerberos Vendors:   MIT
Kerberos KDC Input Validation Flaw in process_as_req() Lets Remote Users Deny Service
SecurityTracker Alert ID:  1023593
SecurityTracker URL:
CVE Reference:   CVE-2010-0283   (Links to External Site)
Updated:  Feb 17 2010
Original Entry Date:  Feb 16 2010
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5-1.7 and later
Description:   A vulnerability was reported in Kerberos. A remote user can cause denial of service conditions.

A remote user can send a specially crafted request to the target KDC process to trigger a flaw in the process_as_req() process cause the target service to crash.

Versions prior to krb5-1.7 are not affected.

Emmanuel Bouillon (NATO C3 Agency) reported this vulnerability.

Impact:   A remote user can a KDC process to crash.
Solution:   The vendor has issued a patch for krb5-1.7 and krb5-1.7.1. The patch will be included in the upcoming krb5-1.7.2 release and the final krb5-1.8 release.

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  MITKRB5-SA-2010-001 [CVE-2010-0283] krb5-1.7 KDC denial of service

Hash: SHA1


MIT krb5 Security Advisory 2010-001
Original release: 2010-02-16
Last update: 2010-02-16

Topic: krb5-1.7 KDC denial of service

krb5-1.7 KDC denial of service

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:O/RC:C

CVSSv2 Base Score:      7.8

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: None
Integrity Impact:       None
Availability Impact:    Complete

CVSSv2 Temporal Score:  6.4

Exploitability:         Functional
Remediation Level:      Official Fix
Report Confidence:      Confirmed


Improper input validation in the KDC can cause an assertion failure
and process termination.  A functional exploit exists, but is not
known to be publicly circulated.  Releases prior to krb5-1.7 did not
contain the vulnerable code.

This is an implementation vulnerability in MIT krb5, and is not a
vulnerability in the Kerberos protocol.


An unauthenticated remote attacker can send an invalid request to a
KDC process that will cause it to crash due to an assertion failure,
creating a denial of service.


* KDC in MIT krb5-1.7 and later

* Prerelease (alpha test) code for krb5-1.8 is also vulnerable.


* The upcoming krb5-1.7.2 release will contain a fix for this

* The final krb5-1.8 release will contain a fix for this

* For the krb5-1.7 and krb5-1.7.1 releases, apply the following patch:

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 52fbda5..680e6a1 100644
- --- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -137,6 +137,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     session_key.contents = 0;
     enc_tkt_reply.authorization_data = NULL;
+    if (request->msg_type != KRB5_AS_REQ) {
+        status = "msg_type mismatch";
+        errcode = KRB5_BADMSGTYPE;
+        goto errout;
+    }
     errcode = kdc_make_rstate(&state);
     if (errcode != 0) {
 	status = "constructing state";
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 12180ff..c8cf692 100644
- --- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -135,6 +135,8 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
     retval = decode_krb5_tgs_req(pkt, &request);
     if (retval)
         return retval;
+    if (request->msg_type != KRB5_TGS_REQ)
+        return KRB5_BADMSGTYPE;
      * setup_server_realm() sets up the global realm-specific data pointer.
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index d88e0cb..2639047 100644
- --- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -384,7 +384,7 @@ krb5_error_code kdc_fast_handle_error
     krb5_data *encoded_e_data = NULL;
     memset(outer_pa, 0, sizeof(outer_pa));
- -    if (!state->armor_key)
+    if (!state || !state->armor_key)
 	return 0;
     fx_error = *err; = NULL;

  This patch is also available at

  A PGP-signed patch is available at

* The above patch will apply to krb5-1.8 prerelease code if whitespace
  is ignored.


This announcement is posted at:

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

The main MIT Kerberos web page is at:


CVE: CVE-2010-0283


Thanks to Emmanuel Bouillon (NATO C3 Agency) for discovering and
reporting this vulnerability.


The MIT Kerberos Team security contact address is
<>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid     MIT Kerberos Team Security Contact <>


In new code introduced in the KDC for the krb5-1.7 release, code that
handles authorization data (handle_tgt_authdata()) contains a call to
assert() that ensures that the function arguments are consistent with
value of the msg_type field of the request that it is processing.
This assertion can fail because the msg_type can be inconsistent with
the ASN.1 tag that previously-executed code used to choose whether to
process the request as a request for initial tickets (AS-REQ) or as a
request for additional tickets (TGS-REQ).


2010-02-16      original release

Copyright (C) 2010 Massachusetts Institute of Technology
Version: GnuPG v1.4.8 (SunOS)



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC