Software Engineering Institute

As described on the MIT Kerberos web site: "Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography." MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions.

Kerberos 5 protocol messages are defined using Abstract Syntax Notation One (ASN.1). The Basic Encoding Rules (BER) describe how to represent the values of ASN.1 types in byte strings. The MIT Kerberos 5 library function asn1buf_skiptail() contains a loop that does not properly check either the end of a buffer or the position of a pointer into the buffer. A specially crafted BER encoding in an ASN.1 sequence can cause asn1buf_skiptail() to enter an infinite loop, resulting in a denial of service. MITKRB5-SA-2004-003 provides further detail:

The ASN.1 decoder in the MIT krb5 library handles indefinite-length
BER encodings for the purpose of backwards compatibility with some
non-conformant implementations. The ASN.1 decoders call
asn1buf_sync() to skip any trailing unrecognized fields in the
encoding of a SEQUENCE type.  asn1buf_sync() calls asn1buf_skiptail()
if the ASN.1 SEQUENCE type being decoded was encoded with an
indefinite length.  asn1buf_sync() is provided with a prefetched BER
tag; a placeholder tag is provided by the prefetching code in the case
where there is are no more octets in a sub-encoding.

The loop in asn1buf_skiptail() which attempts to skip trailing
sub-encodings of an indefinite-length SEQUENCE type does not properly
check for end-of-subbuffer conditions or for the placeholder tag,
leading to an infinite loop.   Valid BER encodings cannot cause this
condition; however, it is trivial to construct a corrupt encoding
which will trigger the infinite loop.

An unauthenticated, remote attacker could cause a denial of service on a KDC or application server. An attacker who is able to impersonate a KDC or application server may be able to cause a denial of service on Kerberos clients.

Apply a patch

Apply the appropriate patch(es) referenced in MITKRB5-SA-2004-003 or specified by your vendor.

Upgrade

According to MITKRB5-SA-2004-003, "The upcoming krb5-1.3.5 release will contain fixes for these problems."

Restrict access

Depending on network architecture, it may be practical to restrict access to KDC servers (88/udp) from untrusted networks such as the Internet. Due to network application requirements, it may be possible, but less practical, to limit access from Kerberos clients to trusted KDC and application servers. While these workarounds will help to limit the source of attacks, they will not prevent attacks from trusted hosts or networks or attackers who can successfully spoof their source addresses.