SecurityTracker.com Archives - (Conectiva Issues Fix) Kerberos 5 ASN.1 Decoder Infinite Loop Lets Remote Users Deny Service

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Security) > Kerberos

Vendors: MIT

(Conectiva Issues Fix) Kerberos 5 ASN.1 Decoder Infinite Loop Lets Remote Users Deny Service

SecurityTracker Alert ID: 1012721

SecurityTracker URL: http://securitytracker.com/id?1012721

CVE Reference: CAN-2004-0644 (Links to External Site)

Date: Dec 29 2004

Impact: Denial of service via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 1.2.2 through 1.3.4

Description: A denial of service vulnerability was reported in Kerberos 5 in the ASN.1 decoder library. A remote user can cause a Key Distribution Center (KDC) or an application server to enter an infinite loop.

The vendor reported that if the ASN.1 SEQUENCE type was encoded with an indefinite length, the asn1bug_snc() function will attempt to skip any trailing unrecognized fields with the asn1buf_skiptail() function. The asn1buf_skiptail() function does not properly handle certain error conditions and may enter an infinite loop.

The vendor credits Will Fiveash and Nico Williams at Sun with discovering this vulnerability.

Impact: A remote user can cause the KDC or application server to enter an infinite loop.

Vendor URL: web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txt (Links to External Site)

Cause: State error

Underlying OS: Linux (Conectiva)

Underlying OS Comments: 9, 10

Reported By: Conectiva Updates <secure@conectiva.com.br>

Message History: This archive entry is a follow-up to the message listed below.

Aug 31 2004

Kerberos 5 ASN.1 Decoder Infinite Loop Lets Remote Users Deny Service

Source Message Contents

Date: Thu, 9 Sep 2004 20:54:06 -0300
From: Conectiva Updates <secure@conectiva.com.br>
Subject: [Conectiva-updates] [CLA-2004:860] Conectiva Security Announcement

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : krb5
SUMMARY   : Multiple vulnerabilities in Kerberos 5
DATE      : 2004-09-09 20:53:00
ID        : CLA-2004:860
RELEVANT
RELEASES  : 9, 10

- -------------------------------------------------------------------------

DESCRIPTION
 The "krb5" packages are MIT's[1] implementation of the Kerberos 5
 authentication protocol.
 
 This announcement fixes several vulnerabilities listed in the
 advisories MITKRB5-SA-2004-001[2], MITKRB5-SA-2004-002[3] and
 MITKRB5-SA-2004-003[4]:
 
 1. Buffer overflows in krb5_aname_to_localname() (CAN-2004-0523[5])
 
 The krb5_aname_to_localname() library function contains multiple
 buffer overflows vulnerabilities[5] which could be exploited to gain
 unauthorized root access.  Exploitation of these flaws requires an
 unusual combination of factors, including successful authentication
 to a vulnerable service and a non-default configuration on the target
 service.  This announcement updates the correction used to the patch
 provided by Bill Dodd.
 
 2. Several double-free vulnerabilities in KDC and libraries
 (CAN-2004-0642[6], CAN-2004-0643[7], CAN-2004-0772[8])
 
 The MIT Kerberos 5 implementation's Key Distribution Center (KDC)
 program contains a double-free vulnerability that potentially allows
 a remote attacker to execute arbitrary code. Additionally,
 double-free vulnerabilities exist in MIT Kerberos 5 library code,
 making client programs and application servers vulnerable. The
 vulnerability in krb524d was discovered by Marc Horowitz; the other
 double-free vulnerabilities were discovered by Will Fiveash and Nico
 Williams
 at Sun.
 
 3. ASN.1 decoder denial of service (CAN-2004-0644[9])
 
 Will Fiveash and Nico Williams also found a denial-of-service
 vulnerability[9] in the ASN.1 decoder library in the MIT Kerberos 5
 distribution which could lead to an infinite loop in the decoder,
 allowing an unauthenticated remote attacker to cause a KDC or
 application server to hang inside an infinite loop and an attacker
 impersonating a legitimate KDC or application server to cause a
 client program to hang inside an infinite loop.


SOLUTION
 It is recommended that all Kerberos users in Conectiva Linux upgrade
 their packages. Please note that the service will be automatically
 restarted after the upgrade if it was already running.
 
 Several applications can make use of the Kerberos libraries. Those
 applications have to be restarted as well.
 
 
 REFERENCES
 1.http://web.mit.edu/Kerberos/www/index.html
 2.http://web.mit.edu/Kerberos/www/advisories/MITKRB5-SA-2004-001-an_to_ln.txt
 3.http://web.mit.edu/Kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt
 4.http://web.mit.edu/Kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txt
 5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0523
 6.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0642
 7.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0643
 8.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0772
 9.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0644


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/10/SRPMS/krb5-1.3.3-62470U10_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-server-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-apps-servers-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-devel-static-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-client-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-doc-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-devel-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-apps-clients-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/krb5-1.2.7-28721U90_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-devel-static-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-devel-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-client-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-doc-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-apps-clients-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-apps-servers-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-server-1.2.7-28721U90_3cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 The apt tool can be used to perform RPM packages upgrades:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions regarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBQO0d42jd0JmAcZARAhQWAJ9XTIOwgf+6dapxACFPabt64qBWdACdHjsx
KFGcVXgw29vt/C5QdBBRh/o=
=RNsz
-----END PGP SIGNATURE-----


______________________________________________________________________
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2004, SecurityGlobal.net LLC