安全研究
安全漏洞
MIT Kerberos 5 ASN.1解码远程拒绝服务漏洞
发布日期:2004-08-31
更新日期:2004-09-01
受影响系统:
MIT Kerberos 5 1.3.4不受影响系统:
MIT Kerberos 5 1.2.8
MIT Kerberos 5 1.2.2
MIT Kerberos 5 1.3.5描述:
BUGTRAQ ID: 11079
CVE(CAN) ID: CVE-2004-0644
Abstract Syntax Notation 1 (ASN.1)是用于多个应用程序和设备的数据标准,允许数据可在各种平台传递。
MIT Kerberos 5中的ASN.1解码库存在问题,远程攻击者可以利用这个漏洞对服务程序进行拒绝服务攻击。
ASN.1解码库在处理不确定长度BER编码数据时存在问题,可导致asn1buf_skiptail()中触发无限循环,导致应用程序产生拒绝服务。未授权攻击者可以使KDC或应用服务程序由于无限循环而挂起。或者攻击者伪造合法KDC或应用服务器可引起客户端由于无限循环而挂起。
<*来源:MIT krb5 Security Advisory
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=109398666429899&w=2
*>
建议:
厂商补丁:
MIT
---
krb5-1.3.5已经修补此漏洞:
http://web.mit.edu/kerberos
krb5-1.3.4可采用如下补丁:
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.3.4.txt
相关PGP签名如下:
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.3.4.txt.asc
Index: src/lib/krb5/asn.1/asn1buf.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/asn1buf.c,v
retrieving revision 5.24
*** src/lib/krb5/asn.1/asn1buf.c 12 Mar 2003 04:33:30 -0000 5.24
- --- src/lib/krb5/asn.1/asn1buf.c 23 Aug 2004 03:43:47 -0000
***************
*** 122,127 ****
- --- 122,129 ----
return ASN1_OVERRUN;
}
while (nestlevel > 0) {
+ if (buf->bound - buf->next + 1 <= 0)
+ return ASN1_OVERRUN;
retval = asn1_get_tag_2(buf, &t);
if (retval) return retval;
if (!t.indef) {
PATCH AGAINST krb5-1.2.8可采用如下补丁:
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.2.8.txt
相关PGP签名如下:
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.2.8.txt.asc
Index: src/lib/krb5/asn.1/asn1buf.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/asn1buf.c,v
retrieving revision 5.19.2.1
diff -c -r5.19.2.1 asn1buf.c
*** src/lib/krb5/asn.1/asn1buf.c 31 Jan 2001 18:00:12 -0000 5.19.2.1
- --- src/lib/krb5/asn.1/asn1buf.c 23 Aug 2004 03:54:50 -0000
***************
*** 140,145 ****
- --- 140,147 ----
return ASN1_OVERRUN;
}
while (nestlevel > 0) {
+ if (buf->bound - buf->next + 1 <= 0)
+ return ASN1_OVERRUN;
retval = asn1_get_tag_indef(buf, &class, &construction, &tagnum,
&taglen, &tagindef);
if (retval) return retval;
浏览次数:2960
严重程度:0(网友投票)
绿盟科技给您安全的保障