{"vuid":"VU#943220","idnumber":"943220","name":"MIT KDC vulnerable to double-free when PKINIT enabled","keywords":[""],"overview":"The KDC in releases krb5-1.7 and later are vulnerable to a double-free vulnerability if they are configured to respond to PKINIT requests.","clean_desc":"The MIT krb5 Security Advisory 2011-003 states: \"The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable to a double-free condition if the Public Key Cryptography for Initial Authentication (PKINIT) capability is enabled, resulting in daemon crash or arbitrary code execution (which is believed to be difficult).\"","impact":"An unauthenticated remote attacker can induce a double-free event, causing the KDC daemon to crash (denial of service), or to execute arbitrary code.","resolution":"Apply a Patch\nUpcoming releases in the krb5-1.7, krb5-1.8, and krb5-1.9 series will contain fixes. In the meantime, apply the following patch: diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c\nindex 46b5fa1..464cb6e 100644\n- --- a/src/kdc/do_as_req.c\n+++ b/src/kdc/do_as_req.c\n@@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,\n                     pad->contents = td[size]->data; pad->length = td[size]->length; pa[size] = pad; +                    td[size]->data = NULL; +                    td[size]->length = 0; krb5_free_typed_data(kdc_context, td);","workarounds":"","sysaffected":"","thanks":"This issue was discovered by Cameron Meadors of Red Hat.","author":"This document was written by Jared Allar.","public":["http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-003.txt","http://web.mit.edu/kerberos/advisories/2011-003-patch.txt","http://web.mit.edu/kerberos/advisories/2011-003-patch.txt.asc"],"cveids":["CVE-2011-0284"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2011-03-02T20:15:29Z","publicdate":"2011-03-15T00:00:00Z","datefirstpublished":"2011-03-15T18:09:52Z","dateupdated":"2011-03-29T12:22:28Z","revision":13,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":0.0,"vulnote":null}