Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) RT-Send-CC: X-RT-Original-Encoding: iso-8859-1 Content-Length: 1636 The detailed analysis: The process_as_req() function in the KDC has support for pluggable modules that implement various types of preauthentication. The PKINIT preauthentication module (using public key cryptography for initial authentication) is part of the MIT krb5 source distribution, and is compiled by default when a usable cryptography backend is present. Before the PKINIT module will be used in AS_REQ processing, it must be configured in the KDC configuration profile (e.g., kdc.conf). When processing an AS_REQ of type KRB5_PADATA_PK_AS_REQ, the KDC performs initial validation of the request, checking the Diffie-Hellman parameters and verifying the authenticator checksum before proceeding to check that a KDC public key ID is present and matches the KDC configuration. During the process of checking for a KDC public key ID, the KDC must extract an issuer and serial number from the client-supplied X.509 certificate. If this extraction fails, a null pointer is returned which the server detects as an error, and the server proceeds to its cleanup code, which deallocates memory that was allocated to process the request. This cleanup code unconditionally dereferences the pointer holding the issuer and serial number information, which is a null pointer in this error case. This potential for null pointer dereference has been present since the introduction of the PKINIT code, in krb5-1.6.3. The vulnerable code executes after substantial validation and processing of the request, so an attacker must be able to successfully perform PKINIT preauthentication or observe or modify a valid preauthentication attempt.