HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2010-21
Microsoft Windows Kerberos Null Pointer Dereference Denial of Service Vulnerability

Original Issue Date: February 11, 2010

Severity Rating: Medium

System Affected

  • Windows 2000 SP4 and prior
  • Windows Server 2003 SP2 and prior
  • Windows Server 2003 x64 Edition SP2 and prior
  • Windows Server 2003 for Itanium-based Systems SP2 and prior
  • Windows Server 2008 for 32-bit Systems SP2 and prior
  • Windows Server 2008 for x64-based Systems SP2 and prior

Overview

A vulnerability has been reported in Microsoft Windows that could allow a remote attacker to cause a denial of service (DoS) condition.

Description

The vulnerability is caused due to a NULL pointer dereference error when handling Ticket-Granting-Ticket renewal requests sent by a client on a remote non-Windows realm in a mixed-mode Kerberos implementation. A remote attacker could exploit this vulnerability by sending a malformed request from a non-Windows Kerberos domain.  If successful, the attacker could cause the affected Windows domain controller to stop responding, denying new requests for access to domain resources.

Solution

Apply appropriate patches as mentioned in the Microsoft Security Bulletin MS10-014

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/MS10-014.mspx

References

VUPEN
http://www.vupen.com/english/advisories/2010/0347

SecurityTracker
http://securitytracker.com/alerts/2010/Feb/1023566.html

CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=19813

CVE Name
CVE-2010-0035

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003