CVE-2021-36222 Overview
CVE-2021-36222 is a NULL pointer dereference vulnerability in the ec_verify function within kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) component of MIT Kerberos 5 (krb5). This vulnerability affects versions before 1.18.4 and 1.19.x versions before 1.19.2, allowing remote attackers to crash the KDC daemon through specially crafted authentication requests. The flaw occurs because a return value is not properly managed in certain error handling situations.
Critical Impact
Remote attackers can cause a denial of service by crashing the KDC daemon, potentially disrupting authentication services across an entire Kerberos realm and affecting all dependent systems and users.
Affected Products
- MIT Kerberos 5 (versions before 1.18.4 and 1.19.x before 1.19.2)
- Debian Linux 10.0
- NetApp Active IQ Unified Manager (VMware vSphere and Windows)
- NetApp OnCommand Insight
- NetApp OnCommand Workflow Automation
- NetApp SnapCenter
- Oracle MySQL Server
Discovery Timeline
- 2021-07-22 - CVE-2021-36222 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-36222
Vulnerability Analysis
This vulnerability resides in the encrypted challenge (EC) pre-authentication mechanism of the MIT Kerberos 5 Key Distribution Center. The flaw exists in the ec_verify function located in kdc/kdc_preauth_ec.c, where improper handling of return values leads to a NULL pointer dereference condition.
When processing FAST (Flexible Authentication via Secure Tunneling) encrypted challenge requests, the KDC performs various memory allocation and string operations. The vulnerable code path fails to properly check the return value from the k5memdup0 function before proceeding to use the realmstr pointer. If a previous operation fails and sets a non-zero retval, the memory allocation is skipped, but subsequent code still attempts to use the uninitialized or NULL pointer.
This vulnerability is remotely exploitable over the network without requiring authentication or user interaction. An attacker can trigger the crash by sending malformed authentication requests to the KDC service, causing immediate denial of service to all Kerberos authentication operations within the affected realm.
Root Cause
The root cause is improper error handling in the ec_verify function. Specifically, the k5memdup0 function was called unconditionally regardless of whether a previous operation had already failed. When the prior operation fails (setting retval to a non-zero error code), the code should skip subsequent dependent operations. Instead, it proceeds to call k5memdup0, which may return NULL when retval is already non-zero, and the NULL pointer is later dereferenced when calling profile_get_string.
Attack Vector
The attack can be executed remotely over the network by sending specially crafted Kerberos authentication requests to the KDC. The attacker does not need valid credentials or prior authentication. By triggering specific error conditions in the encrypted challenge pre-authentication flow, the attacker can force the KDC daemon to dereference a NULL pointer, causing an immediate crash and denial of service.
}
/* Check for a configured FAST ec auth indicator. */
- realmstr = k5memdup0(realm.data, realm.length, &retval);
+ if (retval == 0)
+ realmstr = k5memdup0(realm.data, realm.length, &retval);
if (realmstr != NULL)
retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
realmstr,
Source: GitHub Commit Update
The patch adds a conditional check (if (retval == 0)) before the memory allocation call, ensuring that k5memdup0 is only invoked when no prior error has occurred.
Detection Methods for CVE-2021-36222
Indicators of Compromise
- Unexpected KDC daemon crashes or restarts in system logs
- Core dump files generated by the krb5kdc process containing NULL pointer dereference errors
- Increased frequency of Kerberos authentication failures across the network
- Log entries indicating encrypted challenge pre-authentication errors
Detection Strategies
- Monitor system logs for krb5kdc process crashes or segmentation faults
- Implement alerting for KDC service availability and automatic restart events
- Review Kerberos KDC debug logs for malformed encrypted challenge requests
- Use network intrusion detection systems to identify anomalous Kerberos AS-REQ traffic patterns
Monitoring Recommendations
- Configure real-time monitoring for KDC process health and availability
- Set up log aggregation to capture and analyze Kerberos authentication errors
- Enable core dump collection for post-incident forensic analysis
- Monitor network traffic for unusual volumes or patterns of Kerberos pre-authentication requests
How to Mitigate CVE-2021-36222
Immediate Actions Required
- Upgrade MIT Kerberos 5 to version 1.18.4 or later (for 1.18.x branch)
- Upgrade MIT Kerberos 5 to version 1.19.2 or later (for 1.19.x branch)
- Apply vendor-specific patches for affected third-party products (NetApp, Oracle, Debian)
- Implement KDC service monitoring and automatic restart capabilities as a temporary measure
Patch Information
MIT has released patched versions of Kerberos 5 that address this vulnerability. The fix is available in krb5 versions 1.18.4 and 1.19.2 or later. The security patch (commit fc98f520caefff2e5ee9a0026fdf5109944b3562) adds proper conditional checking before memory allocation operations to prevent NULL pointer dereference.
For additional vendor-specific patches, refer to:
- Debian Security Advisory DSA-4944
- Oracle Security Alert October 2021
- NetApp Security Advisory NTAP-20211022-0003
- NetApp Security Advisory NTAP-20211104-0007
Workarounds
- Implement network-level access controls to restrict KDC access to trusted networks only
- Configure firewall rules to limit sources that can connect to KDC ports (typically 88/tcp and 88/udp)
- Deploy KDC replicas to provide redundancy in case of service disruption
- Enable automatic service restart for the KDC daemon to minimize downtime during exploitation attempts
# Configuration example - Restrict KDC access via iptables
# Only allow Kerberos traffic from trusted networks
iptables -A INPUT -p tcp --dport 88 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p udp --dport 88 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 88 -j DROP
iptables -A INPUT -p udp --dport 88 -j DROP
# Configure systemd to restart KDC automatically on failure
# Add to /etc/systemd/system/krb5kdc.service.d/restart.conf
# [Service]
# Restart=on-failure
# RestartSec=5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
