RT RT/krbdev.mit.edu: Ticket #7637 Fix kpasswd UDP ping-pong [CVE-2002-2443] Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
7637
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Version_reported
Version_Fixed
  • 1.11.3
Target_Version
  • 1.11.3
Tags
  • pullup
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
  • 7638: (tlyu) Fix kpasswd UDP ping-pong [CVE-2002-2443] [resolved]
 
 Dates  
Created: Mon May 13 12:56:24 2013
Starts: Not set
Started: Mon May 13 12:56:25 2013
Last Contact: Not set
Due: Not set
Updated: Wed May 15 14:46:22 2013 by tlyu
 

 People  
Owner
 tlyu
Requestors
 tlyu@mit.edu
Cc
 
AdminCc
 
 

 More about Tom Yu  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Mon May 13 12:56:24 2013  tlyu - Ticket created    
     
From: tlyu@mit.edu
Subject: git commit


Fix kpasswd UDP ping-pong [CVE-2002-2443]

The kpasswd service provided by kadmind was vulnerable to a UDP
"ping-pong" attack [CVE-2002-2443].  Don't respond to packets unless
they pass some basic validation, and don't respond to our own error
packets.

Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
attack or UDP ping-pong attacks in general, but there is discussion
leading toward narrowing the definition of CVE-1999-0103 to the echo,
chargen, or other similar built-in inetd services.

Thanks to Vincent Danen for alerting us to this issue.

CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C

https://github.com/krb5/krb5/commit/cf1a0c411b2668c57c41e9c4efd15ba17b6b322c
Author: Tom Yu <tlyu@mit.edu>
Commit: cf1a0c411b2668c57c41e9c4efd15ba17b6b322c
Branch: master
 src/kadmin/server/schpw.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)


Download (untitled) 884b
      Mon May 13 12:56:24 2013  tlyu - Requestor tlyu@mit.edu added    
      Mon May 13 12:56:25 2013  tlyu - Status changed from new to review    
      Mon May 13 12:56:25 2013  tlyu - Tags pullup added    
      Mon May 13 12:56:25 2013  tlyu - Target_Version 1.11.3 added    
      Tue May 14 21:18:45 2013  tlyu - Status changed from review to resolved    
      Tue May 14 21:18:46 2013  tlyu - Version_Fixed 1.11.3 added    
      Tue May 14 21:18:46 2013  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: git commit


Fix kpasswd UDP ping-pong [CVE-2002-2443]

The kpasswd service provided by kadmind was vulnerable to a UDP
"ping-pong" attack [CVE-2002-2443].  Don't respond to packets unless
they pass some basic validation, and don't respond to our own error
packets.

Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
attack or UDP ping-pong attacks in general, but there is discussion
leading toward narrowing the definition of CVE-1999-0103 to the echo,
chargen, or other similar built-in inetd services.

Thanks to Vincent Danen for alerting us to this issue.

CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C

(cherry picked from commit cf1a0c411b2668c57c41e9c4efd15ba17b6b322c)

https://github.com/krb5/krb5/commit/70fd4a2843c47c750ef84bb9322818d4795bd983
Author: Tom Yu <tlyu@mit.edu>
Commit: 70fd4a2843c47c750ef84bb9322818d4795bd983
Branch: krb5-1.11
 src/kadmin/server/schpw.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)


Download (untitled) 957b
      Wed May 15 14:46:22 2013  tlyu - Comments added    
     
To: rt-comment@krbdev.MIT.EDU
Subject: Re: [krbdev.mit.edu #7637] git commit
From: Tom Yu <tlyu@MIT.EDU>
Date: Wed, 15 May 2013 14:46:19 -0400
RT-Send-Cc: 

As far as I can tell, this bug dates back to the original
implementation of the kpasswd service in our code.

A possible simple mitigation is to block UDP packets destined for the
kpasswd service if they have a source port of 464 (possibly also 7
(echo), 19 (chargen), etc., or anything < 1024 if you're being
especially paranoid).


Download (untitled) 332b