{"vuid":"VU#550464","idnumber":"550464","name":"MIT Kerberos 5 ASN.1 decoding function asn1buf_skiptail() does not properly terminate loop","keywords":["MIT","Kerberos","Key Distribution Center","KDC","libraries","denial of service","DoS","infinite loop","BER","sequence","asn.1"],"overview":"The asn1buf_skiptail() function in the MIT Kerberos 5 library does not properly terminate a loop, allowing an unauthenticated, remote attacker to cause a denial of service in a Kerberos Distribution Center (KDC), application server, or Kerberos client.","clean_desc":"As described on the MIT Kerberos web site:  \"Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.\"  MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions. Kerberos 5 protocol messages are defined using Abstract Syntax Notation One (ASN.1). The Basic Encoding Rules (BER) describe how to represent the values of ASN.1 types in byte strings. The MIT Kerberos 5 library function asn1buf_skiptail() contains a loop that does not properly check either the end of a buffer or the position of a pointer into the buffer. A specially crafted BER encoding in an ASN.1 sequence can cause asn1buf_skiptail() to enter an infinite loop, resulting in a denial of service. MITKRB5-SA-2004-003 provides further detail: The ASN.1 decoder in the MIT krb5 library handles indefinite-length\nBER encodings for the purpose of backwards compatibility with some\nnon-conformant implementations. The ASN.1 decoders call\nasn1buf_sync() to skip any trailing unrecognized fields in the\nencoding of a SEQUENCE type. asn1buf_sync() calls asn1buf_skiptail()\nif the ASN.1 SEQUENCE type being decoded was encoded with an\nindefinite length. asn1buf_sync() is provided with a prefetched BER\ntag; a placeholder tag is provided by the prefetching code in the case\nwhere there is are no more octets in a sub-encoding. The loop in asn1buf_skiptail() which attempts to skip trailing\nsub-encodings of an indefinite-length SEQUENCE type does not properly\ncheck for end-of-subbuffer conditions or for the placeholder tag,\nleading to an infinite loop. Valid BER encodings cannot cause this\ncondition; however, it is trivial to construct a corrupt encoding\nwhich will trigger the infinite loop.","impact":"An unauthenticated, remote attacker could cause a denial of service on a KDC or application server. An attacker who is able to impersonate a KDC or application server may be able to cause a denial of service on Kerberos clients.","resolution":"Apply a patch\nApply the appropriate patch(es) referenced in MITKRB5-SA-2004-003 or specified by your vendor. Upgrade According to MITKRB5-SA-2004-003, \"The upcoming krb5-1.3.5 release will contain fixes for these problems.\"","workarounds":"Restrict access Depending on network architecture, it may be practical to restrict access to KDC servers (88/udp) from untrusted networks such as the Internet. Due to network application requirements, it may be possible, but less practical, to limit access from Kerberos clients to trusted KDC and application servers. While these workarounds will help to limit the source of attacks, they will not prevent attacks from trusted hosts or networks or attackers who can successfully spoof their source addresses.","sysaffected":"","thanks":"Thanks to Tom Yu and the MIT Kerberos Development Team for reporting this vulnerability and coordinating with vendors. MITKRB5-SA-2004-003 acknowledges Will Fiveash and Nico Williams.","author":"This document was written by Art Manion.","public":["http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txt","http://web.mit.edu/kerberos/www/","http://www.cert.org/advisories/CA-2001-18.html#asn1-ber","http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#asn1","http://www.itu.int/ITU-T/asn1/","http://www.itu.int/ITU-T/studygroups/com10/languages/","http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#kerbfirewall","http://www.securitytracker.com/alerts/2004/Aug/1011107.html"],"cveids":["CVE-2004-0644"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2004-07-16T13:01:32Z","publicdate":"2004-08-31T00:00:00Z","datefirstpublished":"2004-09-02T17:42:06Z","dateupdated":"2004-09-03T20:22:10Z","revision":18,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"14","cam_population":"18","cam_impact":"8","cam_easeofexploitation":"14","cam_attackeraccessrequired":"15","cam_scorecurrent":"16.443","cam_scorecurrentwidelyknown":"19.278","cam_scorecurrentwidelyknownexploited":"30.618","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":16.443,"vulnote":null}