Skip to content

Commit cf1a0c4

Browse files
committed
Fix kpasswd UDP ping-pong [CVE-2002-2443]
The kpasswd service provided by kadmind was vulnerable to a UDP "ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless they pass some basic validation, and don't respond to our own error packets. Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong attack or UDP ping-pong attacks in general, but there is discussion leading toward narrowing the definition of CVE-1999-0103 to the echo, chargen, or other similar built-in inetd services. Thanks to Vincent Danen for alerting us to this issue. CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C ticket: 7637 (new) target_version: 1.11.3 tags: pullup
1 parent 0a97afb commit cf1a0c4

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

Diff for: src/kadmin/server/schpw.c

+4-4
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
5252
ret = KRB5KRB_AP_ERR_MODIFIED;
5353
numresult = KRB5_KPASSWD_MALFORMED;
5454
strlcpy(strresult, "Request was truncated", sizeof(strresult));
55-
goto chpwfail;
55+
goto bailout;
5656
}
5757

5858
ptr = req->data;
@@ -67,7 +67,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
6767
numresult = KRB5_KPASSWD_MALFORMED;
6868
strlcpy(strresult, "Request length was inconsistent",
6969
sizeof(strresult));
70-
goto chpwfail;
70+
goto bailout;
7171
}
7272

7373
/* verify version number */
@@ -80,7 +80,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
8080
numresult = KRB5_KPASSWD_BAD_VERSION;
8181
snprintf(strresult, sizeof(strresult),
8282
"Request contained unknown protocol version number %d", vno);
83-
goto chpwfail;
83+
goto bailout;
8484
}
8585

8686
/* read, check ap-req length */
@@ -93,7 +93,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
9393
numresult = KRB5_KPASSWD_MALFORMED;
9494
strlcpy(strresult, "Request was truncated in AP-REQ",
9595
sizeof(strresult));
96-
goto chpwfail;
96+
goto bailout;
9797
}
9898

9999
/* verify ap_req */

0 commit comments

Comments
 (0)