Skip Menu |
 

From: tlyu@mit.edu
Subject: git commit

Fix kpasswd UDP ping-pong [CVE-2002-2443]

The kpasswd service provided by kadmind was vulnerable to a UDP
"ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless
they pass some basic validation, and don't respond to our own error
packets.

Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
attack or UDP ping-pong attacks in general, but there is discussion
leading toward narrowing the definition of CVE-1999-0103 to the echo,
chargen, or other similar built-in inetd services.

Thanks to Vincent Danen for alerting us to this issue.

CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C

https://github.com/krb5/krb5/commit/cf1a0c411b2668c57c41e9c4efd15ba17b6b322c
Author: Tom Yu <tlyu@mit.edu>
Commit: cf1a0c411b2668c57c41e9c4efd15ba17b6b322c
Branch: master
src/kadmin/server/schpw.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Fix kpasswd UDP ping-pong [CVE-2002-2443]

The kpasswd service provided by kadmind was vulnerable to a UDP
"ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless
they pass some basic validation, and don't respond to our own error
packets.

Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
attack or UDP ping-pong attacks in general, but there is discussion
leading toward narrowing the definition of CVE-1999-0103 to the echo,
chargen, or other similar built-in inetd services.

Thanks to Vincent Danen for alerting us to this issue.

CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C

(cherry picked from commit cf1a0c411b2668c57c41e9c4efd15ba17b6b322c)

https://github.com/krb5/krb5/commit/70fd4a2843c47c750ef84bb9322818d4795bd983
Author: Tom Yu <tlyu@mit.edu>
Commit: 70fd4a2843c47c750ef84bb9322818d4795bd983
Branch: krb5-1.11
src/kadmin/server/schpw.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
To: rt-comment@krbdev.MIT.EDU
Subject: Re: [krbdev.mit.edu #7637] git commit
From: Tom Yu <tlyu@MIT.EDU>
Date: Wed, 15 May 2013 14:46:19 -0400
RT-Send-Cc:
As far as I can tell, this bug dates back to the original
implementation of the kpasswd service in our code.

A possible simple mitigation is to block UDP packets destined for the
kpasswd service if they have a source port of 464 (possibly also 7
(echo), 19 (chargen), etc., or anything < 1024 if you're being
especially paranoid).