MITKRB5-SA-2004-003: ASN.1 decoder denial-of-service
-----BEGIN PGP SIGNED MESSAGE-----
MIT krb5 Security Advisory 2004-003
Original release: 2004-08-31
Topic: ASN.1 decoder denial of service
Severity: serious
SUMMARY
=======
The ASN.1 decoder library in the MIT Kerberos 5 distribution is
vulnerable to a denial-of-service attack causing an infinite loop in
the decoder. The KDC is vulnerable to this attack.
IMPACT
======
* An unauthenticated remote attacker can cause a KDC or application
server to hang inside an infinite loop. [CAN-2004-0644]
* An attacker impersonating a legitimate KDC or application server may
cause a client program to hang inside an infinite
loop. [CAN-2004-0644]
AFFECTED SOFTWARE
=================
* KDC software and applications from MIT Kerberos 5 releases
krb5-1.2.2 through krb5-1.3.4.
* Applications using the MIT krb5 libraries from the above releases.
FIXES
=====
* The upcoming krb5-1.3.5 release will contain fixes for these
problems.
* Apply the appropriate patch referenced below, and rebuild the software.
Patches available:
* Patch against krb5-1.3.4 (should apply to earlier krb5-1.3.x releases)
* Patch against krb5-1.2.8 (should apply to releases krb5-1.2.2
through krb5-1.2.7 as well)
PATCH AGAINST krb5-1.3.4
========================
* This patch was generated against krb5-1.3.4; it may
apply, with some offset, to earlier krb5-1.3.x releases.
This patch may also be found at:
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.3.4.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.3.4.txt.asc
Index: src/lib/krb5/asn.1/asn1buf.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/asn1buf.c,v
retrieving revision 5.24
*** src/lib/krb5/asn.1/asn1buf.c 12 Mar 2003 04:33:30 -0000 5.24
- --- src/lib/krb5/asn.1/asn1buf.c 23 Aug 2004 03:43:47 -0000
***************
*** 122,127 ****
- --- 122,129 ----
return ASN1_OVERRUN;
}
while (nestlevel > 0) {
+ if (buf->bound - buf->next + 1 <= 0)
+ return ASN1_OVERRUN;
retval = asn1_get_tag_2(buf, &t);
if (retval) return retval;
if (!t.indef) {
PATCH AGAINST krb5-1.2.8
========================
* This patch was generated against krb5-1.2.8; it may apply, with some
offset, to releases krb5-1.2.2 through krb5-1.2.7. You are strongly
encouraged to update to a release from the krb5-1.3.x series.
This patch may also be found at:
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.2.8.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.2.8.txt.asc
Index: src/lib/krb5/asn.1/asn1buf.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/asn1buf.c,v
retrieving revision 5.19.2.1
diff -c -r5.19.2.1 asn1buf.c
*** src/lib/krb5/asn.1/asn1buf.c 31 Jan 2001 18:00:12 -0000 5.19.2.1
- --- src/lib/krb5/asn.1/asn1buf.c 23 Aug 2004 03:54:50 -0000
***************
*** 140,145 ****
- --- 140,147 ----
return ASN1_OVERRUN;
}
while (nestlevel > 0) {
+ if (buf->bound - buf->next + 1 <= 0)
+ return ASN1_OVERRUN;
retval = asn1_get_tag_indef(buf, &class, &construction, &tagnum,
&taglen, &tagindef);
if (retval) return retval;
REFERENCES
==========
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CERT VU#550464
http://www.kb.cert.org/vuls/id/550464
CVE CAN-2004-0644
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0644
ASN.1 decoder bug in MIT Kerberos 5 releases krb5-1.2.2
through krb5-1.3.4 allows unauthenticated remote attackers to
induce infinite loop, causing denial of service, including in
KDC code
ACKNOWLEDGMENTS
===============
Thanks to Will Fiveash and Nico Williams at Sun for finding this
vulnerability.
DETAILS
=======
The ASN.1 decoder in the MIT krb5 library handles indefinite-length
BER encodings for the purpose of backwards compatibility with some
non-conformant implementations. The ASN.1 decoders call
asn1buf_sync() to skip any trailing unrecognized fields in the
encoding of a SEQUENCE type. asn1buf_sync() calls asn1buf_skiptail()
if the ASN.1 SEQUENCE type being decoded was encoded with an
indefinite length. asn1buf_sync() is provided with a prefetched BER
tag; a placeholder tag is provided by the prefetching code in the case
where there is are no more octets in a sub-encoding.
The loop in asn1buf_skiptail() which attempts to skip trailing
sub-encodings of an indefinite-length SEQUENCE type does not properly
check for end-of-subbuffer conditions or for the placeholder tag,
leading to an infinite loop. Valid BER encodings cannot cause this
condition; however, it is trivial to construct a corrupt encoding
which will trigger the infinite loop.
REVISION HISTORY
================
2004-08-31 original release
Copyright (C) 2004 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)
iQCVAwUBQTTAIKbDgE/zdoE9AQHyngP+OiwJxYxeHuhNjyXMyCr79mqJcsPP17DB
tsDgQ9jZiD0m+I7rgu+PmPJQfl8qgfEZsEsW5QXppJoC0gIICSqdWbYypXjVzEfh
N7g8ydTIOkKk5WP+ahisWyHiIWg/iX66dDLupzxufgb+1p/2CwoXgTszCBlQP67o
3LMSqXJGDfw=
=RAVs
-----END PGP SIGNATURE-----