AOH :: HP Unsorted G :: B1A-1068.HTM

GSS-API lib null pointer deref
MITKRB5-SA-2010-005 GSS-API lib null pointer deref
MITKRB5-SA-2010-005 GSS-API lib null pointer deref

Hash: SHA1


MIT krb5 Security Advisory 2010-005
Original release: 2010-05-18

Topic: GSS-API library null pointer dereference



CVSSv2 Base Score:      6.8

Access Vector:          Network
Access Complexity:      Low
Authentication:         Single
Confidentiality Impact: None
Integrity Impact:       None
Availability Impact:    Complete

CVSSv2 Temporal Score:  5.3

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

Certain invalid GSS-API tokens can cause a GSS-API acceptor (server)
to crash due to a null pointer dereference in the GSS-API library.

This is an implementation vulnerability in MIT krb5, and not a
vulnerability in the Kerberos protocol.

An authenticated remote attacker can cause a GSS-API application
server (including the Kerberos administration daemon kadmind) to crash
by sending a malformed GSS-API token that induces a null pointer

* kadmind and other GSS-API server applications in all known releases
  of MIT krb5, up to and including krb5-1.8.1

* third-party GSS-API server applications that link link against the
  GSS-API library in all known releases of MIT krb5, up to and
  including krb5-1.8.1

* Independent implementations of the krb5 GSS-API mechanism may be
  vulnerable, as the underlying bug is based on plausible (but
  invalid) assumptions about the Kerberos protocol.

* The upcoming krb5-1.8.2 release and an upcoming krb5-1.7 series
  release will contain a fix for this vulnerability.

* Apply the following patch.  The patch was generated against
  krb5-1.8.1, but should also apply to krb5-1.7 series releases.

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index ce3075f..6241055 100644
- --- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -607,6 +607,13 @@ kg_accept_krb5(minor_status, context_handle,
+    if (authdat->checksum == NULL) {
+        /* missing checksum counts as "inappropriate type" */
+        code = KRB5KRB_AP_ERR_INAPP_CKSUM;
+        major_status = GSS_S_FAILURE;
+        goto fail;
+    }
     if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) {
         /* Samba does not send 0x8003 GSS-API checksums */
         krb5_boolean valid;

  This patch is also available at 

  A PGP-signed patch is available at 

For the krb5-1.6 release: 

PGP-signed patch for krb5-1.6: 

  Earlier releases may require minor porting.

This announcement is posted at: 

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at: 

The main MIT Kerberos web page is at: 


CVE: CVE-2010-1321 

Thanks to Shawn Emery (Oracle) for reporting this vulnerability.

The MIT Kerberos Team security contact address is
. When sending sensitive information, 
please PGP-encrypt it using the following key:

pub   2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid MIT Kerberos Team Security Contact  

The krb5 GSS-API mechanism specification requires that the checksum
field in the authenticator of the Kerberos AP-REQ (which is optional
in the base Kerberos protocol) be present and contain specific
contents.  If the checksum field is missing, the decoded structure
contains a null pointer, which code called through
krb5_gss_accept_sec_context() dereferences without first checking for
a null pointer.

Independent implementations of the krb5 GSS-API mechanism may be
vulnerable because a developer might reasonably make the invalid
assumption that the authenticator checksum field is not empty (and
hence, that the C representation would not contain a null pointer).

2010-05-18      original release

Copyright (C) 2010 Massachusetts Institute of Technology
Version: GnuPG v1.4.8 (SunOS)


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to