Info

Disclosure

Aug 31, 2004

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

MIT Kerberos 5 distribution contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker impersonating a legitimate key distribution center or application server may cause a client program to hang inside an infinite loop via a specially crafted BER encoding and will result in loss of availability of the service.

Classification

Location: Remote/Network Access Required
Attack Type: Denial of Service
Impact: Loss of Availability
Exploit: Exploit Available
Disclosure: OSVDB Verified
OSVDB: Security Software

Solution

Upgrade to version krb5-1.3.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

MIT	Kerberos 5	1.2.x
		1.3.0
		1.3.1
		1.3.2
		1.3.4
	Kerberos	1.3.3

References

Security Tracker: 1011107
Secunia Advisory ID: 12408 12410 12411 12412 12413 12414 12503 13612
CVE ID: 2004-0644 (see also: NVD)
Other Advisory URL: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000860
http://rhn.redhat.com/errata/RHSA-2004-350.html
http://www.cisco.com/warp/public/707/cisco-sa-20040831-krb5.shtml
http://www.debian.org/security/2004/dsa-543
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:088
Vendor Specific Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57631-1
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txt
http://www-1.ibm.com/support/docview.wss?uid=swg21188222
Vendor Specific Solution URL: http://web.mit.edu/kerberos/advisories/2004-003-patch_1.3.4.txt

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/36218