SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   Kerberos Vendors:   MIT
(Trustix Issues Fix) Kerberos Buffer Overflows in krb5_aname_to_localname() May Let Remote Users Gain Root Access
SecurityTracker Alert ID:  1010366
SecurityTracker URL:  http://securitytracker.com/id/1010366
CVE Reference:   CAN-2004-0523   (Links to External Site)
Updated:  Jun 4 2004
Original Entry Date:  Jun 2 2004
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5-1.3.3 and prior versions
Description:   Some buffer overflow vulnerabilities were reported in Kerberos 5 in the krb5_aname_to_localname() function. A remote user may be able to gain root access on the target system.

MIT reported that there are several overflows in the krb5_aname_to_localname() library function. According to the report, an "unusual combination" of factors are required to successfully exploit the flaw, including authenticating to a vulnerable service using a principal name explicitly listed in the mapping list.

The report also indicates that default configurations of the target service are not affected. Only those configurations that enable the explicit mapping or rules-based mapping functionality of krb5_aname_to_localname() are reported to be vulnerable.

If the rules-based mapping functionality is enabled, the remote user must first create an arbitrary principal name in the local Kerberos realm or in a remote realm that is accessible via cross-realm authentication.

It is reported that various remote login services (e.g., ftp, rsh, rlogin, telnet) are affected, as well as ksu. Other services that use the krb5 library may be affected if they use the vulnerable function, the report said.
Impact:   In certain cases, a remote user may be able to execute arbitrary code with root privileges.
Solution:   Trustix has released a fix, available at:

http://http.trustix.org/pub/trustix/updates/
ftp://ftp.trustix.org/pub/trustix/updates/

The MD5sums of the packages are:

fb2a416813354ef72793e307109384fc tsel-2/kerberos5-1.3.3-1tr.i586.rpm
3f891b8401083dbd82c1e29214a62093 tsel-2/kerberos5-devel-1.3.3-1tr.i586.rpm
497a9d37c85dc96d54adf6a72aa98d59 tsel-2/kerberos5-libs-1.3.3-1tr.i586.rpm

d4ad236619b37fbca2f87df1db67f914 2.1/rpms/kerberos5-1.3.3-1tr.i586.rpm
c862afd9f44da7f5c422ba57a09d63d0 2.1/rpms/kerberos5-devel-1.3.3-1tr.i586.rpm
23d5c42a1e4bb14a4737af80909f8915 2.1/rpms/kerberos5-libs-1.3.3-1tr.i586.rpm
Vendor URL:  web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-001-an_to_ln.txt (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Trustix)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 1 2004 Kerberos Buffer Overflows in krb5_aname_to_localname() May Let Remote Users Gain Root Access


 Source Message Contents
Date:  Wed, 2 Jun 2004 14:02:45 +0200
Subject:  TSLSA-2004-0032 - kerberos


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2004-0032

Package name:      kerberos5
Summary:           buffer overflows in krb5_aname_to_localname
Date:              2004-06-02
Affected versions: Trustix Secure Linux 2.1
                   Trustix Secure Enterprise Linux 2

- --------------------------------------------------------------------------
Package description:
  (MIT) Kerberos is a network authentication protocol. It is designed to
  provide strong authentication for client/server applications by using
  secret-key cryptography. A free implementation of this protocol is
  available from the Massachusetts Institute of Technology. Kerberos is
  available in many commercial products as well.

Problem description:
  The krb5_aname_to_localname() library function contains multiple
  buffer overflows which could be exploited to gain unauthorized root
  access.  Exploitation of these flaws requires an unusual combination
  of factors, including successful authentication to a vulnerable
  service and a non-default configuration on the target service.  (See
  MITIGATING FACTORS below.)  No exploits are known to exist yet.


Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Public testing:
  Most updates for Trustix Secure Linux are made available for public
  testing some time before release.
  If you want to contribute by testing the various packages in the
  testing tree, please feel free to share your findings on the
  tsl-discuss mailinglist.
  The testing tree is located at
  <URI:http://tsldev.trustix.org/horizon/>

  You may also use swup for public testing of updates:
  
  site {
      class = 0
      location = "http://tsldev.trustix.org/horizon/rdfs/latest.rdf"
      regexp = ".*"
  }
  

Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-2.1/>
  or directly at
  <URI:http://www.trustix.org/errata/2004/0032>


MD5sums of the packages:
- --------------------------------------------------------------------------
fb2a416813354ef72793e307109384fc  tsel-2/kerberos5-1.3.3-1tr.i586.rpm
3f891b8401083dbd82c1e29214a62093  tsel-2/kerberos5-devel-1.3.3-1tr.i586.rpm
497a9d37c85dc96d54adf6a72aa98d59  tsel-2/kerberos5-libs-1.3.3-1tr.i586.rpm

d4ad236619b37fbca2f87df1db67f914  2.1/rpms/kerberos5-1.3.3-1tr.i586.rpm
c862afd9f44da7f5c422ba57a09d63d0  2.1/rpms/kerberos5-devel-1.3.3-1tr.i586.rpm
23d5c42a1e4bb14a4737af80909f8915  2.1/rpms/kerberos5-libs-1.3.3-1tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFAvcHPi8CEzsK9IksRAmEsAJ9HokI3rEV2gVT7AF+iHZlYe3k1DACeJKM5
tD9SX3VGJjgqWWxVstDyxGw=
=psJB
-----END PGP SIGNATURE-----
_______________________________________________
tsl-announce mailing list
tsl-announce@lists.trustix.org
http://lists.trustix.org/mailman/listinfo/tsl-announce


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC