Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(IBM Issues Fix for AIX) Kerberos 5 KDC Double-Free Errors May Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1011476
|
|
SecurityTracker URL: http://securitytracker.com/id?1011476
|
|
CVE Reference: CAN-2004-0642
(Links to External Site)
|
Date: Oct 1 2004
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 1.3.4 and prior versions
|
Description: Several double-free vulnerabilities were reported in the Kerberos 5 Key Distribution Center (KDC) software. A remote user may be able to execute arbitrary code and compromise the Kerberos domain.
The vendor reported that the ASN.1 decoder functions use inconsistent memory management conventions. Under certain error conditions,
the ASN.1 decoders may free memory without nulling the corresponding pointers [CVE: CAN-2004-0642]. As a result, some library functions
that receive errors from from the ASN.1 decoders may attempt to free the non-null pointers.
It is also reported that krb5_rd_cred()
in versions prior to 1.3.2 frees already-freed buffers returned by the decode_krb5_enc_cred_part() function when an error is returned
[CVE: CAN-2004-0643].
It is also reported that a patch introduced in version 1.2.8 to disable krb4 cross-realm authentication
in krb524d contains a double-free vulnerability [CVE: CAN-2004-0772].
The vendor credits Will Fiveash and Nico Williams at Sun,
Marc Horowitz, Nalin Dahyabhai, Joseph Galbraith, and John Hawkinson with discovering these flaws.
|
Impact: A remote user may be able to execute arbitrary code on a target KDC system. This will compromise the entire Kerberos realm.
A
reomte user may be able to execute arbitrary code on a target system running krb524d.
A remote user acting as a KDC or application
server may be able to execute arbitrary code on a target client host while the client is authenticating.
|
Solution: IBM has issued the following fixes:
For AIX 5.1.0: Upgrade to version 1.3.0.2 or version 1.4.0.1.
For AIX 5.2.0: Upgrade to version 1.4.0.1.
For AIX 5.3.0: Upgrade to version 1.4.0.1.
|
Vendor URL: web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt (Links to External Site)
|
Cause: State error
|
Underlying OS: UNIX (AIX)
|
Underlying OS Comments: 5.1, 5.2, and 5.3
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Fri, 1 Oct 2004 00:36:00 -0400
Subject: [none]
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Thu Sep 30 14:42:06 CDT 2004
===========================================================================
VULNERABILITY SUMMARY
VULNERABILITY: Double free vulnerabilities may result in a denial of
service or allow an attacker to execute arbitrary code.
A vulnerability in the ASN.1 decoder library may
allow an attacker to cause an infinite loop
resulting in a denial of service.
PLATFORMS: AIX 5.1, AIX 5.2 and AIX 5.3.
SOLUTION: Apply the fixes described below.
THREAT: A remote attacker may execute arbitrary code or cause
a denial of service against a KDC or kerberoized
daemon or client.
CERT VU Number: VU#795632 (CAN-2004-0642), VU#866472 (CAN-2004-0643)
and VU#550464 (CAN-2004-0644)
===========================================================================
DETAILED INFORMATION
I. Description
===============
The MIT Kerberos team recently reported various vulnerabilities in Kerberos
version 5. AIX includes several kerberoized applications which are affected
by these vulnerabilities. The applications include NFS version 4.0; the
LDAP, KRB5 and KRB5A authentication modules; OpenSSH and the secure
r-commands (rsh, krshd, rlogin, krlogind, ftp, ftpd and telnet, telnetd
when configured to use Kerberos). Kerberos is available for AIX via Network
Authentication Service on the Expansion Pack.
VU#795632 (CAN-2004-0642) and VU#866472 (CAN-2004-0643) may allow an
attacker to execute arbitrary code on a KDC, kerberoized daemon or
kerberoized client. VU#550464 (CAN-2004-0644) may be exploited to cause a
KDC, kerberoized daemon or kerberoized client to hang in an infinite loop
resulting in a denial of service. More information about these
vulnerabilities can be found in MIT krb5 security advisories 2004-002 and
2004-003 which are located at http://web.mit.edu/kerberos/advisories/.
The following versions of Network Authentication Service are vulnerable:
* Network Authentication Service 1.3.0.1 and earlier
* Network Authentication Service 1.4.0.0
To determine what version of Network Authentication Service is installed,
execute the following commands:
# lslpp -L krb5.client.rte
# lslpp -L krb5.server.rte
If the filesets are installed they will be listed along with version
information, state, type and a description. The first command prints
information for the client fileset and the second command prints
information for the server fileset. Affected hosts should upgrade all
affected Network Authentication Service filesets that are installed.
II. Impact
==========
A remote attacker may cause a denial of service or execute arbitrary code.
III. Solutions
===============
A. Official Fix
IBM provides the following fixes:
AIX 5.1.0: Customers using version 1.3.0.1 and earlier may contact your
local IBM AIX support center to request version 1.3.0.2 or
version 1.4.0.1.
Customers using version 1.4.0.0 may contact your local IBM AIX
support center to request version 1.4.0.1.
Customers may upgrade to version 1.4.0.1 available on the
AIX 5L for POWER V5.1 Expansion Pack
(form number LCD4-1079-10). The Expansion Pack will be
available on 12/03/04.
AIX 5.2.0: Customers using version 1.4.0.0 may contact your local
IBM AIX support center to request version 1.4.0.1.
Customers may upgrade to version 1.4.0.1 available on the
AIX 5L for POWER V5.2 Expansion Pack
(form number LCD4-1142-06). The Expansion Pack will be
available on 12/03/04.
AIX 5.3.0: Customers using version 1.4.0.0 may contact your local
IBM AIX support center to request version 1.4.0.1.
Customers may upgrade to version 1.4.0.1 available on the
AIX 5L for POWER V5.3 Expansion Pack
(form number LCD4-7460-01). The Expansion Pack will be
available on 12/03/04.
IV. Contact Information
========================
If you would like to receive AIX Security Advisories via email, please visit:
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs
Comments regarding the content of this announcement can be directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@austin.ibm.com
with a subject of "get key". The key can also be downloaded from a
PGP Public Key Server. The key id is 0x3AE561C3.
Please contact your local IBM AIX support center for any assistance.
eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their
respective holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
iD8DBQFBXHsj+0ah+jrlYcMRAmeQAKCj6l2DrmFg9UZFReH869x9HP/ZGgCeLFkL
wMz17Zunf35TbkyfgU1F15Q=
=4aTd
-----END PGP SIGNATURE-----
IBM, eServer and pSeries are trademarks or registered trademarks of International
Business Machines Corporation in the United States or other countries, or both.
ALL INFORMATION IS PROVIDED BY IBM ON AN "AS IS" BASIS ONLY. IBM PROVIDES NO
REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES
OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY AND NONINFRINGMENT.
This document may be copied provided all text is included and copies contain IBM's
copyright notice and any other notices provided herein.
|
|
Go to the Top of This SecurityTracker Archive Page
|
