Published:
06 September 2004
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2004.0556 -- US-CERT Technical Cyber Security Alert TA04-247A
Vulnerabilities in MIT Kerberos 5
6 September 2004
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: MIT Kerberos 5 versions prior to krb5-1.3.5
Applications that use MIT Kerberos 5 libraries
Applications with code derived from MIT Kerberos 5
Publisher: US-CERT
Impact: Root Compromise
Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CAN-2004-0642 CAN-2004-0643 CAN-2004-0644
CAN-2004-0772
Ref: AL-2004.026
ESB-2004.0551
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA04-247A
Vulnerabilities in MIT Kerberos 5
Original release date: September 3, 2004
Last revised: --
Source: US-CERT
Systems Affected
* MIT Kerberos 5 versions prior to krb5-1.3.5
* Applications that use versions of MIT Kerberos 5 libraries prior
to krb5-1.3.5
* Applications that contain code derived from MIT Kerberos 5
Updated vendor information is available in the systems affected
section of the individual vulnerability notes.
Overview
The MIT Kerberos 5 implementation contains several vulnerabilities,
the most severe of which could allow an unauthenticated, remote
attacker to execute arbitrary code on a Kerberos Distribution Center
(KDC). This could result in the compromise of an entire Kerberos
realm.
I. Description
There are several vulnerabilities in the MIT implementation of the
Kerberos 5 protocol. With one exception (VU#550464), all of the
vulnerabilities involve insecure deallocation of heap memory
(double-free vulnerabilities) during error handling and Abstract
Syntax Notation One (ASN.1) decoding. For further details, please see
the following vulnerability notes:
VU#795632 - MIT Kerberos 5 ASN.1 decoding functions insecurely
deallocate memory (double-free)
The MIT Kerberos 5 library does not securely deallocate heap memory
when decoding ASN.1 structures, resulting in double-free
vulnerabilities. An unauthenticated, remote attacker could execute
arbitrary code on a KDC server, which could compromise an entire
Kerberos realm. An attacker may also be able to execute arbitrary code
on Kerberos clients, or cause a denial of service on KDCs or clients.
(Other resources: MITKRB5-SA-2004-002, CAN-2004-0642)
VU#866472 - MIT Kerberos 5 ASN.1 decoding function krb5_rd_cred()
insecurely deallocates memory (double-free)
The krb5_rd_cred() function in the MIT Kerberos 5 library does not
securely deallocate heap memory when decoding ASN.1 structures,
resulting in a double-free vulnerability. A remote, authenticated
attacker could execute arbitrary code or cause a denial of service on
any system running an application that calls krb5_rd_cred(). This
includes Kerberos application servers and other applications that
process Kerberos authentication via the MIT Kerberos 5 library,
Generic Security Services Application Programming Interface (GSSAPI),
and other libraries.
(Other resources: MITKRB5-SA-2004-002, CAN-2004-0643)
VU#350792 - MIT Kerberos krb524d insecurely deallocates memory
(double-free)
The MIT Kerberos krb524d daemon does not securely deallocate heap
memory when handling an error condition, resulting in a double-free
vulnerability. An unauthenticated, remote attacker could execute
arbitrary code on a system running krb524d, which in many cases is
also a KDC. The compromise of a KDC system can lead to the compromise
of an entire Kerberos realm. An attacker may also be able to cause a
denial of service on a system running krb524d.
(Other resources: MITKRB5-SA-2004-002, CAN-2004-0772)
VU#550464 - MIT Kerberos 5 ASN.1 decoding function asn1buf_skiptail()
does not properly terminate loop
The asn1buf_skiptail() function in the MIT Kerberos 5 library does not
properly terminate a loop, allowing an unauthenticated, remote
attacker to cause a denial of service in a KDC, application server, or
Kerberos client.
(Other resources: MITKRB5-SA-2004-003, CAN-2004-0644)
II. Impact
The impacts of these vulnerabilities vary, but an attacker may be able
to execute arbitrary code on KDCs, systems running krb524d (typically
also KDCs), application servers, applications that use Kerberos
libraries directly or via GSSAPI, and Kerberos clients. An attacker
could also cause a denial of service on any of these systems.
The most severe vulnerabilities could allow an unauthenticated, remote
attacker to execute arbitrary code on a KDC system. This could result
in the compromise of both the KDC and an entire Kerberos realm.
III. Solution
Apply a patch or upgrade
Check with your vendor(s) for patches or updates. For information
about a specific vendor, please see the systems affected sections in
the individual vulnerability notes or contact your vendor directly.
Alternatively, apply the appropriate source code patch(es) referenced
in MITKRB5-SA-2004-002 and MITKRB5-SA-2004-003 and recompile.
These vulnerabilities will be addressed in krb5-1.3.5.
Appendix A. References
* Vulnerability Note VU#795632 -
<http://www.kb.cert.org/vuls/id/795632>
* Vulnerability Note VU#866472 -
<http://www.kb.cert.org/vuls/id/866472>
* Vulnerability Note VU#350792 -
<http://www.kb.cert.org/vuls/id/350792>
* Vulnerability Note VU#550464 -
<http://www.kb.cert.org/vuls/id/550464>
* MIT krb5 Security Advisory 2004-002 -
<http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfre
e.txt>
* MIT krb5 Security Advisory 2004-003 -
<http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-as
n1.txt>
* Kerberos: The Network Authentication Protocol -
<http://web.mit.edu/kerberos/www/>
_______________________________________________________________________
Thanks to Tom Yu and the MIT Kerberos Development team for addressing
these vulnerabilities and coordinating with vendors. MIT credits the
following people: Will Fiveash, Joseph Galbraith, John Hawkinson, Marc
Horowitz, and Nico Williams.
_______________________________________________________________________
Feedback can be directed to the author: Art Manion
_______________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/techalerts/TA04-245A.html>
_______________________________________________________________________
Copyright 2004 Carnegie Mellon University. Terms of use
Terms of use: <http://www.us-cert.gov/legal.html>
_______________________________________________________________________
Revision History
September 3, 2004: Initial release
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBOM3iXlvNRxAkFWARAs9xAKC23q9EekPz/InQVWZPeUVhH4bnKwCgkVfh
vKAOqE4sCXyydZ4BKnNreK8=
=7R1M
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQTwR/Sh9+71yA2DNAQJPGgQAgWfhkNlOQUwUnUMzOefngNs2r6R+hEDg
gp35RAr+Vkakiorf7qCbsGONPGty32pzyTSUlIsFBc9FCaEUUOw6mA3ppQfEhAA6
YxlITCPH6oUFmIYgCNuosjZZvgKG482u9ZwSbgGdg7NwQi6u3WUl9PsUBEpIcBov
jqCj/6lpJl4=
=g79b
-----END PGP SIGNATURE-----