CVE-2024-37371
📋 TL;DR
This vulnerability in MIT Kerberos 5 allows attackers to trigger invalid memory reads by sending specially crafted GSS message tokens with invalid length fields. This could potentially lead to denial of service or information disclosure. All systems running vulnerable versions of MIT Kerberos 5 are affected.
💻 Affected Systems
- MIT Kerberos 5 (krb5)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, though this is less likely given the CWE-125 classification which typically indicates out-of-bounds read rather than write.
Likely Case
Denial of service through application crashes or information disclosure via memory leaks.
If Mitigated
Limited impact with proper network segmentation and monitoring, potentially just failed authentication attempts.
🎯 Exploit Status
The vulnerability requires sending malformed GSS message tokens, which can be done without authentication if network access to Kerberos services is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.21.3 and later
Vendor Advisory: https://web.mit.edu/kerberos/www/advisories/
Restart Required: Yes
Instructions:
1. Download MIT Kerberos 5 version 1.21.3 or later from the official repository. 2. Follow standard build and installation procedures for your platform. 3. Restart all services using Kerberos libraries.
🔧 Temporary Workarounds
Network segmentation
allRestrict network access to Kerberos services to trusted networks only
Firewall rules
linuxBlock external access to Kerberos ports (typically 88/tcp, 88/udp, 464/tcp, 464/udp)
iptables -A INPUT -p tcp --dport 88 -j DROP
iptables -A INPUT -p udp --dport 88 -j DROP
iptables -A INPUT -p tcp --dport 464 -j DROP
iptables -A INPUT -p udp --dport 464 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to Kerberos services
- Monitor for abnormal authentication attempts and system crashes related to Kerberos services
🔍 How to Verify
Check if Vulnerable:
Check the installed krb5 version: krb5-config --version or dpkg -l | grep krb5 or rpm -qa | grep krb5Check Version:
krb5-config --version 2>/dev/null || krb5 --version 2>/dev/null || find /usr -name '*krb5*' -type f -executable -exec {} --version \; 2>/dev/null | head -1Verify Fix Applied:
Verify version is 1.21.3 or higher using the same commands📡 Detection & Monitoring
Log Indicators:
- Kerberos service crashes
- Abnormal authentication failures
- Memory access violation errors in system logs
Network Indicators:
- Unusual traffic to Kerberos ports (88, 464)
- Malformed GSS token packets
SIEM Query:
source="kerberos.log" AND (error OR crash OR "invalid length" OR "memory read")🔗 References
- https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef
- https://web.mit.edu/kerberos/www/advisories/
- https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef
- https://security.netapp.com/advisory/ntap-20241108-0009/
- https://security.netapp.com/advisory/ntap-20250124-0010/
- https://web.mit.edu/kerberos/www/advisories/
