HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2010-01
MIT Kerberos KDC Cross-Realm Referral Denial of Service Vulnerability

Original Issue Date: January 06, 2010

Severity Rating: Medium

System Affected

  • MIT krb5 release krb5-1.7

Overview

A vulnerability has been reported in Kerberos, which can be exploited by remote attackers to cause a DoS (Denial of Service) condition.

Description

This vulnerability is caused due to a NULL pointer dereference error in the KDC cross-realm referral processing implementation. The kdc_err() function of the KDC cross-realm referral processing code (do_tgs_req.c), could cause the target KDC to crash while processing specially crafted data. A remote attacker could exploit this vulnerability by sending specially crafted data to trigger a null pointer dereference error, which could cause a denial of service condition.

Solution

Upgrade to krb5-1.7.1 or apply patch:
http://web.mit.edu/kerberos/advisories/2009-003-patch.txt

Vendor Information

Massachusetts Institute of Technology (MIT)
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-003.txt

References

Massachusetts Institute of Technology (MIT)
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-003.txt

SecurityFocus
http://www.securityfocus.com/bid/37486
http://www.securityfocus.com/archive/1/archive/1/508622/100/0
/threaded

SecurityTracker
http://securitytracker.com/alerts/2009/Dec/1023392.html

Secunia
http://secunia.com/advisories/37977

VUPEN
http://www.vupen.com/english/advisories/2009/3652

CVE Name
CVE-2009-3295

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003