{"vuid":"VU#795632","idnumber":"795632","name":"MIT Kerberos 5 ASN.1 decoding functions insecurely deallocate memory (double-free)","keywords":["MIT","Kerberos","Key Distribution Center","KDC","clients","arbitrary code execution","double-free","krb5","asn.1"],"overview":"The MIT Kerberos 5 library does not securely deallocate heap memory when decoding ASN.1 structures, resulting in double-free vulnerabilities. An unauthenticated, remote attacker could execute arbitrary code on a KDC server, which could compromise an entire Kerberos realm. An attacker may also be able to execute arbitrary code on Kerberos clients, or cause a denial of service on KDCs or clients.","clean_desc":"As described on the MIT Kerberos web site:  \"Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.\"  MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions. Kerberos 5 protocol messages are defined using Abstract Syntax Notation One (ASN.1). When ASN.1 decoding functions in the MIT Kerberos 5 library handle error conditions, the functions free() a memory reference and return the reference to the calling function. In some cases, error handling code in the calling functions may free() the memory reference again, resulting in a double-free vulnerability. MITKRB5-SA-2004-002 explains in more detail: In the MIT krb5 library, in all releases up to and including\nkrb5-1.3.4, ASN.1 decoder functions and their callers do not use a\nconsistent set of memory management conventions. The callers expect\nthe decoders to allocate memory. The callers typically have\nerror-handling code which frees memory allocated by the ASN.1 decoders\nif pointers to the allocated memory are non-null. Upon encountering\nerror conditions, the ASN.1 decoders themselves free memory which they\nhave allocated, but do not null the corresponding pointers. When some\nlibrary functions receive errors from the ASN.1 decoders, they attempt\nto pass the non-null pointer (which points to freed memory) to free(),\ncausing a double-free. The MIT Kerberos 5 KDC is affected by a specific variant of this type of double-free condition. From MITKRB5-SA-2004-002: In all releases of MIT krb5 up to and including krb5-1.3.4, cleanup\ncode in the KDC frees memory returned by ASN.1 decoders. This cleanup\ncode only frees memory pointed to by non-null pointers, but if an\nASN.1 decoder returns an error, the cleanup code will free memory\npreviously freed by the decoder. The double-free conditions occur in the MIT Kerberos 5 library and affect the KDC and Kerberos clients.","impact":"An unauthenticated, remote attacker could execute arbitrary code on a KDC server. This could allow an attacker to gain the master secret for a Kerberos realm, leading to compromise of the entire realm. An attacker who is able to impersonate a KDC or application server may be able to execute arbitrary code on Kerberos clients. An attacker may also be able to crash a KDC or client, causing a denial of service.","resolution":"Apply a patch\nApply the appropriate patch(es) referenced in MITKRB5-SA-2004-002 or specified by your vendor. Upgrade According to MITKRB5-SA-2004-002, \"The upcoming krb5-1.3.5 release will contain fixes for these problems.\"","workarounds":"Restrict access Depending on network architecture, it may be practical to restrict access to KDC servers (88/udp) from untrusted networks such as the Internet. Due to network application requirements, it may be possible, but less practical, to limit access from Kerberos clients to trusted KDC and application servers. While these workarounds will help to limit the source of attacks, they will not prevent attacks from trusted hosts or networks or attackers who can successfully spoof their source addresses.","sysaffected":"","thanks":"Thanks to Tom Yu and the MIT Kerberos Development Team for reporting this vulnerability and coordinating with vendors. MITKRB5-SA-2004-002 acknowledges Will Fiveash and Nico Williams.","author":"This document was written by Art Manion.","public":["http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt","http://web.mit.edu/kerberos/www/","http://web.mit.edu/kerberos/www/krb5-1.3/","http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#asn1","http://www.itu.int/ITU-T/asn1/","http://www.itu.int/ITU-T/studygroups/com10/languages/","http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#kerbfirewall","http://www.securitytracker.com/alerts/2004/Aug/1011106.html"],"cveids":["CVE-2004-0642"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2004-07-16T13:01:13Z","publicdate":"2004-08-31T00:00:00Z","datefirstpublished":"2004-09-02T03:24:29Z","dateupdated":"2005-05-10T16:02:50Z","revision":43,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"14","cam_population":"18","cam_impact":"20","cam_easeofexploitation":"7","cam_attackeraccessrequired":"15","cam_scorecurrent":"20.55375","cam_scorecurrentwidelyknown":"24.0975","cam_scorecurrentwidelyknownexploited":"38.2725","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":20.55375,"vulnote":null}