(Cisco Issues Fix for VPN 3000) Kerberos 5 KDC Double-Free Errors May Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1011108
|
|
SecurityTracker URL: http://securitytracker.com/id?1011108
|
|
CVE Reference: CAN-2004-0642
(Links to External Site)
|
Date: Aug 31 2004
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 4.0.x prior to 4.0.5.B; 4.1.x prior to 4.1.5.B
|
Description: Several double-free vulnerabilities were reported in the Kerberos 5 Key Distribution Center (KDC) software. A remote user may be
able to execute arbitrary code and compromise the Kerberos domain. The Cisco VPN 3000 concentrators are affected when authenticating
users against a KDC.
The vendor reported that the ASN.1 decoder functions use inconsistent memory management conventions. Under certain error conditions,
the ASN.1 decoders may free memory without nulling the corresponding pointers [CVE: CAN-2004-0642]. As a result, some library functions
that receive errors from from the ASN.1 decoders may attempt to free the non-null pointers.
It is also reported that krb5_rd_cred()
in versions prior to 1.3.2 frees already-freed buffers returned by the decode_krb5_enc_cred_part() function when an error is returned
[CVE: CAN-2004-0643].
It is also reported that a patch introduced in version 1.2.8 to disable krb4 cross-realm authentication
in krb524d contains a double-free vulnerability [CVE: CAN-2004-0772].
The vendor credits Will Fiveash and Nico Williams at Sun,
Marc Horowitz, Nalin Dahyabhai, Joseph Galbraith, and John Hawkinson with discovering these flaws.
|
Impact: A remote user may be able to execute arbitrary code on a target KDC system. This will compromise the entire Kerberos realm.
A
reomte user may be able to execute arbitrary code on a target system running krb524d.
A remote user acting as a KDC or application
server may be able to execute arbitrary code on a target client host while the client is authenticating.
|
Solution: Cisco has issued a fix for the VPN 3000 Concentrator series, which is affected by the Kerberos vulnerability. A fix is available
in versions 4.0.5.B and later and 4.1.5.B and later. See the Cisco advisory for patch information:
http://www.cisco.com/warp/public/707/cisco-sa-20040831-krb5.shtml
|
Vendor URL: www.cisco.com/warp/public/707/cisco-sa-20040831-krb5.shtml (Links to External Site)
|
Cause: State error
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 31 Aug 2004 16:04:18 -0400
Subject: http://www.cisco.com/warp/public/707/cisco-sa-20040831-krb5.shtml
|
http://www.cisco.com/warp/public/707/cisco-sa-20040831-krb5.shtml
Cisco Security Advisory: Vulnerabilities in Kerberos 5 Implementation
Document ID: 61720
Cisco reported that the Cisco VPN 3000 Series Concentrators authenticating users
against a Kerberos Key Distribution Center (KDC) may be vulnerable to the recently
reported Kerberos 5 vulnerabilities. A remote user may be able to execute arbitrary
code or deny service.
Cisco reports that all 4.0.x versions prior to 4.0.5.B and all 4.1.x versions prior to
4.1.5.B are vulnerable. Versions prior to 4.0.x are not vulnerable because they do not
support Kerberos authentication.
Cisco has assigned Bug IDs CSCef24692 and CSCef24900 to these vulnerabilities.
The vendor has issued a fix in versions 4.0.5.B and later and 4.1.5.B and later of the
Cisco VPN 3000 Series Concentrators.
|
|
