Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 469752 (CVE-2002-2443) - <app-crypt/mit-krb5-1.11.2-r1 : kpasswd UDP ping-pong vulnerability (CVE-2002-2443)
Summary: <app-crypt/mit-krb5-1.11.2-r1 : kpasswd UDP ping-pong vulnerability (CVE-2002...
Status: RESOLVED FIXED
Alias: CVE-2002-2443
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-13 21:10 UTC by Agostino Sarubbo
Modified: 2013-12-16 17:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-05-13 21:10:32 UTC
From ${URL} :

This flaw has commonly been referred to as CVE-1999-0103 because that
CVE also describes a UDP ping-pong attack.  The same type of issue
exists in kadmind's kpasswd handling, but unfortunately no one told
upstream for the last decade.  CVE-1999-0103 never mentioned krb5 in any
way other than with regards to a Nessus plugin that tests for the
CVE-1999-0103 weakness in kpasswd handling.

Upstream now knows and a fix is available.  Cut-n-paste from our bug
report follows:


A flaw in certain programs that handle UDP traffic was discovered and
assigned the name CVE-1999-0103 (that CVE specifically mentions echo and
chargen as vulnerable).  In 2002, a Nessus plugin was included [1] that
reference this CVE name, but was for the kpasswd service.  Until
recently, this issue had not been reported upstream.  This issue has
since been reported upstream [2] and is now fixed [3].

If a malicious remote user were to spoof their IP address to that of
another server running kadmind with the password change port (kpasswd,
port 464), or to the target server's IP address itself), kpasswd will
pass UDP packets to the spoofed address and reply each time.  This can
be used to consume bandwidth and CPU on the affected servers running
kadmind.

This should be fixed in the for krb5-1.11.3 release.

[1] http://marc.info/?l=nessus&m=102418951803893&w=2
[2] http://krbdev.mit.edu/rt/Ticket/Display.html?id=7637
[3] https://github.com/krb5/krb5/commit/cf1a0c411b2668c57c41e9c4efd15ba17b6b322c


After discussing with upstream and MITRE, it was decided that this issue
needed its own CVE name, so it was assigned CVE-2002-2443.


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Eray Aslan gentoo-dev 2013-05-14 06:04:33 UTC
+*mit-krb5-1.11.2-r1 (14 May 2013)
+
+  14 May 2013; Eray Aslan <eras@gentoo.org> +files/CVE-2002-2443.patch,
+  +mit-krb5-1.11.2-r1.ebuild:
+  Security bump - bug #469752
+

@security: We can stabilize =app-crypt/mit-krb5-1.11.2-r1.  Thank you.
Comment 2 Chris Reffett gentoo-dev Security 2013-07-02 21:56:02 UTC
All right, let's stabilize. Arches, please stabilize =app-crypt/mit-krb5-1.11.3, target arches: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86. Thanks!
Comment 3 Agostino Sarubbo gentoo-dev 2013-07-03 10:30:34 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-07-03 10:31:06 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-07-04 13:05:54 UTC
ppc stable
Comment 6 Jeroen Roovers gentoo-dev 2013-07-04 13:48:06 UTC
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2013-07-04 14:13:10 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-07-06 17:09:54 UTC
alpha stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-07-07 12:31:13 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-07-07 15:22:17 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-07-21 17:40:59 UTC
sh stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-07-21 17:55:35 UTC
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-08-06 12:34:50 UTC
s390 stable
Comment 14 Sergey Popov gentoo-dev Security 2013-08-22 12:14:56 UTC
Thanks for your work

GLSA vote: yes
Comment 15 Chris Reffett gentoo-dev Security 2013-08-22 14:34:04 UTC
GLSA vote: yes, added to GLSA.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 17:45:57 UTC
CVE-2002-2443 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2002-2443):
  schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5)
  before 1.11.3 does not properly validate UDP packets before sending
  responses, which allows remote attackers to cause a denial of service (CPU
  and bandwidth consumption) via a forged packet that triggers a communication
  loop, as demonstrated by krb_pingpong.nasl, a related issue to
  CVE-1999-0103.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2013-12-16 17:53:58 UTC
This issue was resolved and addressed in
 GLSA 201312-12 at http://security.gentoo.org/glsa/glsa-201312-12.xml
by GLSA coordinator Sergey Popov (pinkbyte).