copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2012.0001 - ALERT [Win][UNIX/Linux] krb5: Root compromise - Remote/unauthenticated

Date: 03 January 2012
References: ESB-2012.0002  ESB-2012.0003  ESB-2012.0005  ESB-2012.0006  ESB-2012.0009  ESB-2012.0333.2  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0001
                        Buffer overflow in telnetd
                              3 January 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           krb5
Publisher:         MIT
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Root Compromise -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2011-4862  

Original Bulletin: 
   http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt

Comment: Please note that the exploit code is being actively used in the wild
         and does not require authentication.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2011-008

MIT krb5 Security Advisory 2011-008
Original release: 2011-12-26
Last update: 2011-12-26

Topic: buffer overflow in telnetd

CVE-2011-4862

CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C

CVSSv2 Base Score:      10

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: Complete
Integrity Impact:       Complete
Availability Impact:    Complete

CVSSv2 Temporal Score:  8.3

Exploitability:         Functional
Remediation Level:      Official Fix
Report Confidence:      Confirmed

SUMMARY
=======

The telnet daemon (telnetd) in MIT krb5 (and in krb5-appl after the
applications were moved to a separate distribution for krb5-1.8) is
vulnerable to a buffer overflow.  The flaw does not require
authentication to exploit.  Exploit code is reported to be actively
used in the wild.

IMPACT
======

An unauthenticated remote attacker can cause a buffer overflow and
probably execute arbitrary code with the privileges of the telnet
daemon (normally root).

AFFECTED SOFTWARE
=================

* The telnet daemon in all releases of MIT krb5 prior to krb5-1.8 is
  vulnerable.  Later releases moved the telnet code to the krb5-appl
  distribution.

* The telnet daemon in all releases of krb5-appl is vulnerable.

FIXES
=====

* Workaround: Disable telnet and use a more secure remote login
  solution, such as SSH.

* A future release of krb5-appl will fix this vulnerability.

* Apply the following patch:

diff --git a/telnet/libtelnet/encrypt.c b/telnet/libtelnet/encrypt.c
index f75317d..b8d6cdd 100644
- - --- a/telnet/libtelnet/encrypt.c
+++ b/telnet/libtelnet/encrypt.c
@@ -757,6 +757,9 @@ static void encrypt_keyid(kp, keyid, len)
 	int dir = kp->dir;
 	register int ret = 0;
 
+	if (len > MAXKEYLEN)
+		len = MAXKEYLEN;
+
 	if (!(ep = (*kp->getcrypt)(*kp->modep))) {
 		if (len == 0)
 			return;


  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2011-008-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-008-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2011-4862
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862

http://lists.freebsd.org/pipermail/freebsd-security/2011-December/006117.html

ACKNOWLEDGMENTS
===============

We became aware of this vulnerability through a FreeBSD security
advisory.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS
=======

If the telnetd receives an ENCRYPT suboption that includes a key ID,
encrypt_keyid() in libtelnet/encrypt.c copies the suboption contents
into a fixed-size static buffer without first constraining the length,
leading to a buffer overflow.

REVISION HISTORY
================

2011-12-26      original release

Copyright (C) 2011 Massachusetts Institute of Technology
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk744dsACgkQSO8fWy4vZo6oOACdFW96Ei5AHXbXHBsHaax6tiEE
8AIAoJjMKx/2cbcLiTlHYiN3ypy8XF4S
=acqN
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTwJT9+4yVqjM2NGpAQJARg//bf+LhGKo79uihoFFRkXT5Go1I2aFxTta
kF5turobbGr2iWdNXLB5bPmX0jkhkB7CNtOt8hJ709sArMSNGNNzDFUQtf9uxiZB
7U/QnFq26pwGYp2g2qN9B4zz2BlJBFB1x9/SlkIG40qWEq2MGILMc5afAfUWJCtP
L6Cy80pTB2OU7+i2xaI0OaIc27XXBiL3LJMNr/xiM0jo9uuQuMHmmvrcqTpiMFSb
pG+5GpTcTnLeXKJyQ0EPRgh1YAJIxd/EP1o1JLrA3xcAAvBg6qZZEfBT2rdKeOZo
R3jgAc3OQ9fR2bb2MSitqUlRdNtXyM19+cg9wVoJFUh3W7lpsFVzXZXMfplBzrI5
CpRsLkwJa0+dXhpHK/zcaCttGiR4aMylVx6SPQn8JmRDe0qF3MTuA/1+5AdiEq8g
KZ+s9ShQKqtFES8KK9np9eWfl+S8L2coqJC/hsp6/azbH8MbZqzmM1JmxBMdzD/U
o8y4lpyo1VguiTUM07XVdC67u7/upeVDcMkeTc3iAjJSa7RC0WbESFRF7b9ugIDD
RoBklg+dro4vSJwBZETyjjQLqmrR6gOfHiFL5NmtuQ9uLKolE//PTF0LjE/dAwoz
E+NvQeKHlYih5DVKYRFhLkOFOjTvTS76LUKqL2Sh4kZpXU2nE6Tszx3REVn7mQxH
5FEXxq47cVo=
=cyaL
-----END PGP SIGNATURE-----