(Apple Issues Fix for OS X) Kerberos 5 ASN.1 Decoder Infinite Loop Lets Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1012398
|
|
SecurityTracker URL: http://securitytracker.com/id?1012398
|
|
CVE Reference: CAN-2004-0644
(Links to External Site)
|
Date: Dec 2 2004
|
Impact: Denial of service via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 1.2.2 through 1.3.4
|
Description: A denial of service vulnerability was reported in Kerberos 5 in the ASN.1 decoder library. A remote user can cause a Key Distribution Center (KDC) or an application server to enter an infinite loop.
The vendor reported that if the ASN.1 SEQUENCE type was encoded with an indefinite length, the asn1bug_snc() function will attempt
to skip any trailing unrecognized fields with the asn1buf_skiptail() function. The asn1buf_skiptail() function does not properly
handle certain error conditions and may enter an infinite loop.
The vendor credits Will Fiveash and Nico Williams at Sun with
discovering this vulnerability.
|
Impact: A remote user can cause the KDC or application server to enter an infinite loop.
|
Solution: Apple has issued a fix as part of Security Update 2004-12-02, available at:
- Software Update preferences
- Apple Downloads:
http://www.apple.com/swupdates/
|
Vendor URL: web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txt (Links to External Site)
|
Cause: State error
|
Underlying OS: UNIX (OS X)
|
Underlying OS Comments: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 2 Dec 2004 16:40:18 -0500
Subject: [none]
|
Security Update 2004-12-02
Cyrus IMAP
Available for: Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1089
Impact: When using Kerberos authentication with Cyrus IMAP an authenticated user could
gain unauthorized access to other mailboxes on the same system.
Description: When using the Kerberos authentication mechanism with the Cyrus IMAP
server a user could switch mailboxes after authenticating and gain access to other
mailboxes on the same system. This update binds the mailbox to the authenticated user.
This server-specific issue is not present in Mac OS X Server v10.2.8. Credit to
johan.gradvall@gothia.se for reporting this issue.
HIToolbox
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1085
Impact: Users can quit applications in kiosk mode
Description: A special key combination allowed users to bring up the force quit window
even in kiosk mode. This update will block all force-quit key combinations not to work
while in kiosk mode. This issue is not present in Mac OS X v10.2.8 or Mac OS X Server
v10.2.8. Credit to Glenn Blauvelt of University of Colorado at Boulder for reporting
this issue.
Kerberos
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-0642, CAN-2004-0643, CAN-2004-0644, CAN-2004-0772
Impact: Exposure to a potential denial of service when Kerberos authentication is used
Description: MIT has released a new version of Kerberos that addresses a denial of
service and three double free errors. Mac OS X contains protection against double free
errors. This update applies the fix for the denial of service problem. As a
precautionary measure the double free patches have also been applied. Credit to the MIT
Kerberos Development Team for reporting this issue and providing fixes.
Postfix
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1088
Impact: Postfix using CRAM-MD5 may allow a remote user to send mail without properly authenticating.
Description: Postfix servers using CRAM-MD5 to authenticate senders were vulnerable to
a replay attack. Under some circumstances, the credentials used to successfully
authenticate a user could be re-used for a small time period. The CRAM-MD5 algorithm
used to authenticate users has been updated to prevent the replay window. This issue is
not present in Mac OS X v10.2.8 or Mac OS X Server v10.2.8. Credit to Victor Duchovni
of Morgan Stanley for reporting this issue.
PSNormalizer
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1086
Impact: A buffer overflow in PostScript to PDF conversion could allow execution of
arbitrary code.
Description: A buffer overflow in the handling of PostScript to PDF conversion could
potentially allow the execution of arbitrary code. This updates corrects the PostScript
to PDF conversion code to prevent the buffer overflow. This issue is not present in Mac
OS X v10.2.8 or Mac OS X Server v10.2.8.
QuickTime Streaming Server
Available for: Mac OS X Server v10.3.6, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-1123
Impact: Specially crafted requests could cause a denial of service.
Description: QuickTime Streaming Server was vulnerable to a denial of service attack
when handling DESCRIBE requests. This update corrects the handling of these requests.
Credit to iDEFENSE for reporting this issue.
Terminal
Available for: Mac OS X v10.3.6 and Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1087
Impact: Terminal may indicate that 'Secure Keyboard Entry' is active when it is not.
Description: The 'Secure Keyboard Entry' menu setting was not properly restored when
launching Terminal.app. A check mark would be displayed next to 'Secure Keyboard Entry'
even though it was not enabled. This update fixes the behavior of the 'Secure Keyboard
Entry'. This issue is not present in Mac OS X v10.2.8 or Mac OS X Server v10.2.8.
Credit to Jonathan 'Wolf' Rentzsch of Red Shed Software for reporting this issue.
|
|
