(CVE-2012-1013) krb5 : kadmind denial of service

Bug #1009422 reported by Karma Dorje on 2012-06-06
This bug affects 1 person
Affects Status Importance Assigned to Milestone
krb5 (Fedora)
Fix Released
krb5 (Ubuntu)
Nominated for Hardy by Steve Beattie
Nominated for Lucid by Steve Beattie
Nominated for Natty by Steve Beattie
Nominated for Oneiric by Steve Beattie
Nominated for Precise by Steve Beattie

Bug Description


A weakness has been reported in Kerberos, which can be exploited by malicious users to cause a DoS (Denial of Service).

The vulnerability is caused due to a NULL pointer dereference error in the "check_1_6_dummy()" function in src/lib/kadm5/srv/svr_principal.c. This can be exploited to cause a crash via a create-principal request containing no password but the KRB5_KDB_DISALLOW_ALL_TIX flag.

Successful exploitation requires an administrator account with "create" privileges.

The weakness is reported in versions prior to 1.10.2.

Update to version 1.10.2.

Provided and/or discovered by
Reported by the vendor.

Original Advisory

MIT Kerberos 5 version 1.10.2 was released [1] and noted as fixing:

* Fix a kadmind denial of service issue (null pointer dereference), which could only be triggered by an administrator with the "create" privilege. [CVE-2012-1013]

No information is currently available on which versions are affected by this flaw.

[1] http://mailman.mit.edu/pipermail/kerberos-announce/2012q2/000136.html

Upstream bug report:


And the upstream fix:


This only affects krb5 1.8 and higher, and only clients authorized to create principals can trigger the bug (so requires administrative privileges).

Created krb5 tracking bugs for this issue

Affects: fedora-all [bug 827598]

Karma Dorje (taaroa) on 2012-06-08
summary: - (CVE-2012-1013) krb5 : "check_1_6_dummy()" Denial of Service Weakness
- (CVE-2012-1013)
+ (CVE-2012-1013) krb5 : kadmind denial of service

krb5-1.10-7.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.

krb5-1.9.3-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.

krb5-1.9.3-2.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.

Karma Dorje (taaroa) on 2012-06-22
visibility: private → public
Marc Cluet (lynxman) wrote :

Confirmed, needs a security release for all supported versions.

Changed in krb5 (Ubuntu):
status: New → Confirmed
Steve Beattie (sbeattie) wrote :

This is a low priority issue due to the required privileges needed to exploit it.

Changed in krb5 (Ubuntu):
importance: Undecided → Low
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package krb5 - 1.10+dfsg~beta1-2ubuntu0.3

krb5 (1.10+dfsg~beta1-2ubuntu0.3) precise-security; urgency=low

  * SECURITY UPDATE: KDC heap corruption and crash vulnerabilities
    - debian/patches/MITKRB5-SA-2012-001.patch: initialize pointers both
      at allocation and assignment time
    - CVE-2012-1015, CVE-2012-1014
  * SECURITY UPDATE: denial of service in kadmind (LP: #1009422)
    - debian/patches/krb5-CVE-2012-1013.patch: check for null password
    - CVE-2012-1013
  * SECURITY UPDATE: insufficient ACL checking on get_strings/set_string
    - debian/patches/krb5-CVE-2012-1012.patch: make the access
      controls for get_strings/set_string mirror those of
    - CVE-2012-1012
 -- Steve Beattie <email address hidden> Thu, 26 Jul 2012 14:29:35 -0700

Changed in krb5 (Ubuntu):
status: Confirmed → Fix Released

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1131 https://rhn.redhat.com/errata/RHSA-2012-1131.html


Not vulnerable. This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 4 and 5.

Changed in krb5 (Fedora):
importance: Unknown → Low
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.