(IBM Issues Fix for AIX) Kerberos 5 ASN.1 Decoder Infinite Loop Lets Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1011477
|
|
SecurityTracker URL: http://securitytracker.com/id?1011477
|
|
CVE Reference: CAN-2004-0644
(Links to External Site)
|
Date: Oct 1 2004
|
Impact: Denial of service via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 1.2.2 through 1.3.4
|
Description: A denial of service vulnerability was reported in Kerberos 5 in the ASN.1 decoder library. A remote user can cause a Key Distribution Center (KDC) or an application server to enter an infinite loop.
The vendor reported that if the ASN.1 SEQUENCE type was encoded with an indefinite length, the asn1bug_snc() function will attempt
to skip any trailing unrecognized fields with the asn1buf_skiptail() function. The asn1buf_skiptail() function does not properly
handle certain error conditions and may enter an infinite loop.
The vendor credits Will Fiveash and Nico Williams at Sun with
discovering this vulnerability.
|
Impact: A remote user can cause the KDC or application server to enter an infinite loop.
|
Solution: IBM has issued the following fixes:
For AIX 5.1.0: Upgrade to version 1.3.0.2 or version 1.4.0.1.
For AIX 5.2.0: Upgrade to version 1.4.0.1.
For AIX 5.3.0: Upgrade to version 1.4.0.1.
|
Vendor URL: web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txt (Links to External Site)
|
Cause: State error
|
Underlying OS: UNIX (AIX)
|
Underlying OS Comments: 5.1, 5.2, and 5.3
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Fri, 1 Oct 2004 00:36:00 -0400
Subject: [none]
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Thu Sep 30 14:42:06 CDT 2004
===========================================================================
VULNERABILITY SUMMARY
VULNERABILITY: Double free vulnerabilities may result in a denial of
service or allow an attacker to execute arbitrary code.
A vulnerability in the ASN.1 decoder library may
allow an attacker to cause an infinite loop
resulting in a denial of service.
PLATFORMS: AIX 5.1, AIX 5.2 and AIX 5.3.
SOLUTION: Apply the fixes described below.
THREAT: A remote attacker may execute arbitrary code or cause
a denial of service against a KDC or kerberoized
daemon or client.
CERT VU Number: VU#795632 (CAN-2004-0642), VU#866472 (CAN-2004-0643)
and VU#550464 (CAN-2004-0644)
===========================================================================
DETAILED INFORMATION
I. Description
===============
The MIT Kerberos team recently reported various vulnerabilities in Kerberos
version 5. AIX includes several kerberoized applications which are affected
by these vulnerabilities. The applications include NFS version 4.0; the
LDAP, KRB5 and KRB5A authentication modules; OpenSSH and the secure
r-commands (rsh, krshd, rlogin, krlogind, ftp, ftpd and telnet, telnetd
when configured to use Kerberos). Kerberos is available for AIX via Network
Authentication Service on the Expansion Pack.
VU#795632 (CAN-2004-0642) and VU#866472 (CAN-2004-0643) may allow an
attacker to execute arbitrary code on a KDC, kerberoized daemon or
kerberoized client. VU#550464 (CAN-2004-0644) may be exploited to cause a
KDC, kerberoized daemon or kerberoized client to hang in an infinite loop
resulting in a denial of service. More information about these
vulnerabilities can be found in MIT krb5 security advisories 2004-002 and
2004-003 which are located at http://web.mit.edu/kerberos/advisories/.
The following versions of Network Authentication Service are vulnerable:
* Network Authentication Service 1.3.0.1 and earlier
* Network Authentication Service 1.4.0.0
To determine what version of Network Authentication Service is installed,
execute the following commands:
# lslpp -L krb5.client.rte
# lslpp -L krb5.server.rte
If the filesets are installed they will be listed along with version
information, state, type and a description. The first command prints
information for the client fileset and the second command prints
information for the server fileset. Affected hosts should upgrade all
affected Network Authentication Service filesets that are installed.
II. Impact
==========
A remote attacker may cause a denial of service or execute arbitrary code.
III. Solutions
===============
A. Official Fix
IBM provides the following fixes:
AIX 5.1.0: Customers using version 1.3.0.1 and earlier may contact your
local IBM AIX support center to request version 1.3.0.2 or
version 1.4.0.1.
Customers using version 1.4.0.0 may contact your local IBM AIX
support center to request version 1.4.0.1.
Customers may upgrade to version 1.4.0.1 available on the
AIX 5L for POWER V5.1 Expansion Pack
(form number LCD4-1079-10). The Expansion Pack will be
available on 12/03/04.
AIX 5.2.0: Customers using version 1.4.0.0 may contact your local
IBM AIX support center to request version 1.4.0.1.
Customers may upgrade to version 1.4.0.1 available on the
AIX 5L for POWER V5.2 Expansion Pack
(form number LCD4-1142-06). The Expansion Pack will be
available on 12/03/04.
AIX 5.3.0: Customers using version 1.4.0.0 may contact your local
IBM AIX support center to request version 1.4.0.1.
Customers may upgrade to version 1.4.0.1 available on the
AIX 5L for POWER V5.3 Expansion Pack
(form number LCD4-7460-01). The Expansion Pack will be
available on 12/03/04.
IV. Contact Information
========================
If you would like to receive AIX Security Advisories via email, please visit:
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs
Comments regarding the content of this announcement can be directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@austin.ibm.com
with a subject of "get key". The key can also be downloaded from a
PGP Public Key Server. The key id is 0x3AE561C3.
Please contact your local IBM AIX support center for any assistance.
eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their
respective holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
iD8DBQFBXHsj+0ah+jrlYcMRAmeQAKCj6l2DrmFg9UZFReH869x9HP/ZGgCeLFkL
wMz17Zunf35TbkyfgU1F15Q=
=4aTd
-----END PGP SIGNATURE-----
IBM, eServer and pSeries are trademarks or registered trademarks of International
Business Machines Corporation in the United States or other countries, or both.
ALL INFORMATION IS PROVIDED BY IBM ON AN "AS IS" BASIS ONLY. IBM PROVIDES NO
REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES
OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY AND NONINFRINGMENT.
This document may be copied provided all text is included and copies contain IBM's
copyright notice and any other notices provided herein.
|
|
