CVE-2009-0846
published 2009-04-09CVE-2009-0846: The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows…
PriorityP342critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
8.90%
94.6th percentile
The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | < 10.5.7 | 10.5.7 |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | krb5 | < krb5 1.6.dfsg.4~beta1-13 (bookworm) | krb5 1.6.dfsg.4~beta1-13 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| mit | kerberos_5 | < 1.6.4 | 1.6.4 |
| mit | krb5 | >= 0 < 1.6.dfsg.4~beta1-13 | 1.6.dfsg.4~beta1-13 |
| mit | krb5 | >= 0 < 1.6.dfsg.4~beta1-13 | 1.6.dfsg.4~beta1-13 |
| mit | krb5 | >= 0 < 1.6.dfsg.4~beta1-13 | 1.6.dfsg.4~beta1-13 |
| mit | krb5 | >= 0 < 1.6.dfsg.4~beta1-13 | 1.6.dfsg.4~beta1-13 |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_eus | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
| redhat | enterprise_linux_workstation | — | — |
| redhat | enterprise_linux_workstation | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered by sending an invalid DER encoding in ASN.1 GeneralizedTime fields to a Kerberos service; detect malformed ASN.1 DER-encoded Kerberos traffic targeting the asn1_decode_generaltime function ↗
- →Attack vector is unauthenticated remote — no prior authentication required; monitor for unexpected crashes of Kerberos daemons (krb5kdc, kadmind) following receipt of specially crafted network traffic ↗
- →The vulnerable code path is in lib/krb5/asn.1/asn1_decode.c — focus code review and binary diffing on the asn1_decode_generaltime function in MIT krb5 versions before 1.6.4 ↗
- ·glibc hardened malloc/free on Red Hat Enterprise Linux 4 and later greatly mitigates the possibility of code execution; RHEL 2.1 and 3 lack this hardening and carry a higher impact rating ↗
- ·No known exploit exists that achieves arbitrary code execution; crash/DoS is the realistic impact ↗
- ·This is an implementation vulnerability in MIT krb5 only; it is not a flaw in the Kerberos protocol itself ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-777p-gw55-q56c: The asn1_decode_generaltime function in lib/krb5/asn
ghsa_unreviewed·2022-05-02
CVE-2009-0846 [HIGH] CWE-20 GHSA-777p-gw55-q56c: The asn1_decode_generaltime function in lib/krb5/asn
The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.
OSV
CVE-2009-0846: The asn1_decode_generaltime function in lib/krb5/asn
osv·2009-04-09·CVSS 10.0
CVE-2009-0846 [CRITICAL] CVE-2009-0846: The asn1_decode_generaltime function in lib/krb5/asn
The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.
Ubuntu
Kerberos vulnerabilities
vendor_ubuntu·2009-04-07
CVE-2009-0844 Kerberos vulnerabilities
Title: Kerberos vulnerabilities
Summary: Kerberos vulnerabilities
Multiple flaws were discovered in the Kerberos GSS-API and ASN.1 routines
that did not correctly handle certain requests. An unauthenticated remote
attacker could send specially crafted traffic to crash services using
the Kerberos library, leading to a denial of service.
Instructions: After a standard system upgrade you need to restart any services using
the Kerberos libraries to effect the necessary changes.
Red Hat
krb5: ASN.1 decoder can free uninitialized pointer when decoding an invalid encoding (MITKRB5-SA-2009-002)
vendor_redhat·2009-04-07·CVSS 10.0
CVE-2009-0846 [CRITICAL] CWE-456 krb5: ASN.1 decoder can free uninitialized pointer when decoding an invalid encoding (MITKRB5-SA-2009-002)
krb5: ASN.1 decoder can free uninitialized pointer when decoding an invalid encoding (MITKRB5-SA-2009-002)
The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.
Debian
CVE-2009-0846: krb5 - The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN....
vendor_debian·2009·CVSS 10.0
CVE-2009-0846 [CRITICAL] CVE-2009-0846: krb5 - The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN....
The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.
Scope: local
bookworm: resolved (fixed in 1.6.dfsg.4~beta1-13)
bullseye: resolved (fixed in 1.6.dfsg.4~beta1-13)
forky: resolved (fixed in 1.6.dfsg.4~beta1-13)
sid: resolved (fixed in 1.6.dfsg.4~beta1-13)
trixie: resolved (fixed in 1.6.dfsg.4~beta1-13)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2009-0846 krb5: ASN.1 decoder can free uninitialized pointer when decoding an invalid encoding (MITKRB5-SA-2009-002)
bugzilla·2009-03-19·CVSS 10.0
CVE-2009-0846 [CRITICAL] CVE-2009-0846 krb5: ASN.1 decoder can free uninitialized pointer when decoding an invalid encoding (MITKRB5-SA-2009-002)
CVE-2009-0846 krb5: ASN.1 decoder can free uninitialized pointer when decoding an invalid encoding (MITKRB5-SA-2009-002)
An ASN.1 decoder can free an uninitialized pointer when decoding an
invalid encoding. This can cause a Kerberos application to crash, or,
under theoretically possible but unlikely circumstances, execute
arbitrary malicious code. No exploit is known to exist that would
cause arbitrary code execution.
This is an implementation vulnerability in MIT krb5, and is not a
vulnerability in the Kerberos protocol.
Discussion:
Created attachment 335794
upstream patch to fix MITKRB5-SA-2009-002 issue (CVE-2009-0846)
---
This flaw can easily allow an attacker to crash affected application. Code execution depends on ability to exploit free() called on uninitialized pointer. glibc
Bugzilla
CVE-2009-0844 krb5: buffer over-read in SPNEGO GSS-API mechanism (MITKRB5-SA-2009-001)
bugzilla·2009-03-19·CVSS 5.8
CVE-2009-0844 [MEDIUM] CVE-2009-0844 krb5: buffer over-read in SPNEGO GSS-API mechanism (MITKRB5-SA-2009-001)
CVE-2009-0844 krb5: buffer over-read in SPNEGO GSS-API mechanism (MITKRB5-SA-2009-001)
The MIT krb5 implementation of the SPNEGO GSS-API mechanism can read
beyond the end of a network input buffer. This can cause a GSS-API
application to crash by reading from invalid address space. Under
theoretically possible but very unlikely conditions, a small
information leak may occur. We believe that no successful exploit
exists that could induce an information leak.
Discussion:
The affected code is not in versions older than krb5 1.5, so only RHEL5 is affected (krb5 1.3.4 is in RHEL4).
---
Created attachment 335792
patch to fix MITKRB5-SA-2009-001 issues (CVE-2009-{0844,0845,0847}
This patch corrects CVE-2009-0844, CVE-2009-0845, and CVE-2009-0846. Provided by upstream.
---
CVE-2009-0845 wa
Bugzilla
CVE-2009-0847 krb5: incorrect length check inside ASN.1 decoder (MITKRB5-SA-2009-001)
bugzilla·2009-03-19·CVSS 10.0
CVE-2009-0847 [CRITICAL] CVE-2009-0847 krb5: incorrect length check inside ASN.1 decoder (MITKRB5-SA-2009-001)
CVE-2009-0847 krb5: incorrect length check inside ASN.1 decoder (MITKRB5-SA-2009-001)
MIT krb5 can perform an incorrect length check inside an ASN.1
decoder. This only presents a problem in the PK-INIT code paths. In
the MIT krb5 KDC or kinit program, this could lead to spurious
malloc() failures or, under some conditions, program crash. We have
heard reports of the spurious malloc() failures, but nobody has yet
made the publicly made the connection to a security issue.
Discussion:
This issue only affects krb5 1.6.3+. Prior releases contained the vulnerable code, but the vulnerability is masked due to operations perfomed by other code. so this does not affect Red Hat Enterprise Linux 2.1, 3, 4, or 5.
---
Public now via:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-001.txt
-
http://lists.apple.com/archives/security-announce/2009/May/msg00002.htmlhttp://lists.vmware.com/pipermail/security-announce/2009/000059.htmlhttp://marc.info/?l=bugtraq&m=124896429301168&w=2http://marc.info/?l=bugtraq&m=130497213107107&w=2http://rhn.redhat.com/errata/RHSA-2009-0409.htmlhttp://rhn.redhat.com/errata/RHSA-2009-0410.htmlhttp://secunia.com/advisories/34594http://secunia.com/advisories/34598http://secunia.com/advisories/34617http://secunia.com/advisories/34622http://secunia.com/advisories/34628http://secunia.com/advisories/34630http://secunia.com/advisories/34637http://secunia.com/advisories/34640http://secunia.com/advisories/34734http://secunia.com/advisories/35074http://secunia.com/advisories/35667http://security.gentoo.org/glsa/glsa-200904-09.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-256728-1http://support.apple.com/kb/HT3549http://support.avaya.com/elmodocs2/security/ASA-2009-142.htmhttp://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5047180.htmlhttp://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5047181.htmlhttp://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-002.txthttp://wiki.rpath.com/Advisories:rPSA-2009-0058http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0058http://www-01.ibm.com/support/docview.wss?uid=swg21396120http://www.kb.cert.org/vuls/id/662091http://www.mandriva.com/security/advisories?name=MDVSA-2009:098http://www.redhat.com/support/errata/RHSA-2009-0408.htmlhttp://www.securityfocus.com/archive/1/502527/100/0/threadedhttp://www.securityfocus.com/archive/1/502546/100/0/threadedhttp://www.securityfocus.com/archive/1/504683/100/0/threadedhttp://www.securityfocus.com/bid/34409http://www.securitytracker.com/id?1021994http://www.ubuntu.com/usn/usn-755-1http://www.us-cert.gov/cas/techalerts/TA09-133A.htmlhttp://www.vmware.com/security/advisories/VMSA-2009-0008.htmlhttp://www.vupen.com/english/advisories/2009/0960http://www.vupen.com/english/advisories/2009/0976http://www.vupen.com/english/advisories/2009/1057http://www.vupen.com/english/advisories/2009/1106http://www.vupen.com/english/advisories/2009/1297http://www.vupen.com/english/advisories/2009/2084http://www.vupen.com/english/advisories/2009/2248https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10694https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5483https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6301https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00205.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-April/msg00206.htmlhttp://lists.apple.com/archives/security-announce/2009/May/msg00002.htmlhttp://lists.vmware.com/pipermail/security-announce/2009/000059.htmlhttp://marc.info/?l=bugtraq&m=124896429301168&w=2http://marc.info/?l=bugtraq&m=130497213107107&w=2http://rhn.redhat.com/errata/RHSA-2009-0409.htmlhttp://rhn.redhat.com/errata/RHSA-2009-0410.htmlhttp://secunia.com/advisories/34594http://secunia.com/advisories/34598http://secunia.com/advisories/34617http://secunia.com/advisories/34622http://secunia.com/advisories/34628http://secunia.com/advisories/34630http://secunia.com/advisories/34637http://secunia.com/advisories/34640http://secunia.com/advisories/34734http://secunia.com/advisories/35074http://secunia.com/advisories/35667http://security.gentoo.org/glsa/glsa-200904-09.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-256728-1http://support.apple.com/kb/HT3549http://support.avaya.com/elmodocs2/security/ASA-2009-142.htmhttp://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5047180.htmlhttp://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5047181.htmlhttp://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-002.txthttp://wiki.rpath.com/Advisories:rPSA-2009-0058http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0058http://www-01.ibm.com/support/docview.wss?uid=swg21396120http://www.kb.cert.org/vuls/id/662091http://www.mandriva.com/security/advisories?name=MDVSA-2009:098http://www.redhat.com/support/errata/RHSA-2009-0408.htmlhttp://www.securityfocus.com/archive/1/502527/100/0/threadedhttp://www.securityfocus.com/archive/1/502546/100/0/threadedhttp://www.securityfocus.com/archive/1/504683/100/0/threadedhttp://www.securityfocus.com/bid/34409http://www.securitytracker.com/id?1021994http://www.ubuntu.com/usn/usn-755-1http://www.us-cert.gov/cas/techalerts/TA09-133A.htmlhttp://www.vmware.com/security/advisories/VMSA-2009-0008.htmlhttp://www.vupen.com/english/advisories/2009/0960http://www.vupen.com/english/advisories/2009/0976http://www.vupen.com/english/advisories/2009/1057http://www.vupen.com/english/advisories/2009/1106http://www.vupen.com/english/advisories/2009/1297http://www.vupen.com/english/advisories/2009/2084http://www.vupen.com/english/advisories/2009/2248https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10694https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5483https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6301https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00205.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-April/msg00206.html
2009-04-09
Published