SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   Kerberos Vendors:   MIT
(Fedora Issues Fix for FC1) Kerberos Buffer Overflows in krb5_aname_to_localname() May Let Remote Users Gain Root Access
SecurityTracker Alert ID:  1010456
SecurityTracker URL:  http://securitytracker.com/id/1010456
CVE Reference:   CAN-2004-0523   (Links to External Site)
Date:  Jun 10 2004
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5-1.3.3 and prior versions
Description:   Some buffer overflow vulnerabilities were reported in Kerberos 5 in the krb5_aname_to_localname() function. A remote user may be able to gain root access on the target system.

MIT reported that there are several overflows in the krb5_aname_to_localname() library function. According to the report, an "unusual combination" of factors are required to successfully exploit the flaw, including authenticating to a vulnerable service using a principal name explicitly listed in the mapping list.

The report also indicates that default configurations of the target service are not affected. Only those configurations that enable the explicit mapping or rules-based mapping functionality of krb5_aname_to_localname() are reported to be vulnerable.

If the rules-based mapping functionality is enabled, the remote user must first create an arbitrary principal name in the local Kerberos realm or in a remote realm that is accessible via cross-realm authentication.

It is reported that various remote login services (e.g., ftp, rsh, rlogin, telnet) are affected, as well as ksu. Other services that use the krb5 library may be affected if they use the vulnerable function, the report said.
Impact:   In certain cases, a remote user may be able to execute arbitrary code with root privileges.
Solution:   Fedora has released a fix, available at:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

9a19d200ff0a0d6e6c2029c9fd50653c SRPMS/krb5-1.3.3-6.src.rpm
e03f00a0916359f8a6005e3fc6b6995c i386/krb5-devel-1.3.3-6.i386.rpm
2d0973874755c7e313cfdf04f6860be7 i386/krb5-libs-1.3.3-6.i386.rpm
e4791f4e22a6bb8ab2a7f8fba96a882f i386/krb5-server-1.3.3-6.i386.rpm
720da2c10e2a30d65401425d430ab75d i386/krb5-workstation-1.3.3-6.i386.rpm
d52133ae2dd14a5ffb807236e8c46a46 i386/debug/krb5-debuginfo-1.3.3-6.i386.rpm
f7b3fd343d8831e217265f0355411f32 x86_64/krb5-devel-1.3.3-6.x86_64.rpm
8d9fa0425dae7bb5aad5642239380918 x86_64/krb5-libs-1.3.3-6.x86_64.rpm
5461eb73a8fe388b767670b71dd867c7 x86_64/krb5-server-1.3.3-6.x86_64.rpm
da2a35d9fa2ae594505b959b37abcab4 x86_64/krb5-workstation-1.3.3-6.x86_64.rpm
064b11d2fe16d6f845f850683afabbc4 x86_64/debug/krb5-debuginfo-1.3.3-6.x86_64.rpm
2d0973874755c7e313cfdf04f6860be7 x86_64/krb5-libs-1.3.3-6.i386.rpm
Vendor URL:  web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-001-an_to_ln.txt (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Red Hat Fedora)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 1 2004 Kerberos Buffer Overflows in krb5_aname_to_localname() May Let Remote Users Gain Root Access


 Source Message Contents
Date:  Fri, 4 Jun 2004 15:07:41 -0400
Subject:  [SECURITY] Fedora Core 1 Update: krb5-1.3.3-6



--===============0601235300==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="wac7ysb48OaltWcw"
Content-Disposition: inline


--wac7ysb48OaltWcw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-149
2004-06-04
---------------------------------------------------------------------

Product     : Fedora Core 1
Name        : krb5
Version     : 1.3.3                     =20
Release     : 6                 =20
Summary     : The Kerberos network authentication system.
Description :
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords.

---------------------------------------------------------------------
Update Information:

Bugs have been fixed in the krb5_aname_to_localname library function.
Specifically, buffer overflows were possible for all Kerberos
versions up to and including 1.3.3. The krb5_aname_to_localname
function translates a Kerberos principal name to a local account
name, typically a UNIX username.  This function is frequently used
when performing authorization checks.

If configured with mappings from particular Kerberos principals to
particular UNIX user names, certain functions called by
krb5_aname_to_localname will not properly check the lengths of
buffers used to store portions of the principal name. If configured
to map principals to user names using rules, krb5_aname_to_localname
would consistently write one byte past the end of a buffer allocated
from the heap. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0523 to this issue.

Only configurations which enable the explicit mapping or rules-based
mapping functionality of krb5_aname_to_localname() are vulnerable.
These configurations are not the default.

---------------------------------------------------------------------
* Fri Jun 04 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.3-6

- apply updated patch from MITKRB5-SA-2004-001 (revision 2004-06-02)

* Tue Jun 01 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.3-5

- rebuild

* Tue Jun 01 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.3-4

- apply patch from MITKRB5-SA-2004-001 (#125001)

* Wed May 12 2004 Thomas Woerner <twoerner@redhat.com> 1.3.3-3

- removed rpath

* Thu Apr 15 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.3-2

- re-enable large file support, fell out in 1.3-1
- patch rcp to use long long and %lld format specifiers when reporting file
  sizes on large files

* Tue Apr 13 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.3-1

- update to 1.3.3

* Wed Mar 10 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.2-1

- update to 1.3.2

* Mon Mar 08 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-12

- rebuild

* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com> 1.3.1-11.1

- rebuilt

* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com> 1.3.1-11

- rebuilt

* Mon Feb 09 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-10

- catch krb4 send_to_kdc cases in kdc preference patch

* Mon Feb 02 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-9

- remove patch to set TERM in klogind which, combined with the upstream fix=
 in
  1.3.1, actually produces the bug now (#114762)

* Mon Jan 19 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-8

- when iterating over lists of interfaces which are "up" from getifaddrs(),
  skip over those which have no address (#113347)

* Mon Jan 12 2004 Nalin Dahyabhai <nalin@redhat.com>

- prefer the kdc which last replied to a request when sending requests to k=
dcs

* Mon Nov 24 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-7

- fix combination of --with-netlib and --enable-dns (#82176)

* Tue Nov 18 2003 Nalin Dahyabhai <nalin@redhat.com>

- remove libdefault ticket_lifetime option from the default krb5.conf, it is
  ignored by libkrb5


---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

9a19d200ff0a0d6e6c2029c9fd50653c  SRPMS/krb5-1.3.3-6.src.rpm
e03f00a0916359f8a6005e3fc6b6995c  i386/krb5-devel-1.3.3-6.i386.rpm
2d0973874755c7e313cfdf04f6860be7  i386/krb5-libs-1.3.3-6.i386.rpm
e4791f4e22a6bb8ab2a7f8fba96a882f  i386/krb5-server-1.3.3-6.i386.rpm
720da2c10e2a30d65401425d430ab75d  i386/krb5-workstation-1.3.3-6.i386.rpm
d52133ae2dd14a5ffb807236e8c46a46  i386/debug/krb5-debuginfo-1.3.3-6.i386.rpm
f7b3fd343d8831e217265f0355411f32  x86_64/krb5-devel-1.3.3-6.x86_64.rpm
8d9fa0425dae7bb5aad5642239380918  x86_64/krb5-libs-1.3.3-6.x86_64.rpm
5461eb73a8fe388b767670b71dd867c7  x86_64/krb5-server-1.3.3-6.x86_64.rpm
da2a35d9fa2ae594505b959b37abcab4  x86_64/krb5-workstation-1.3.3-6.x86_64.rpm
064b11d2fe16d6f845f850683afabbc4  x86_64/debug/krb5-debuginfo-1.3.3-6.x86_6=
4.rpm
2d0973874755c7e313cfdf04f6860be7  x86_64/krb5-libs-1.3.3-6.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command. =20
---------------------------------------------------------------------

--wac7ysb48OaltWcw
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAwMh6N5vOV3hoi/URAuv4AJ988ER/uCC5kRczAzLBoSKQetlxVACgjYhf
HHPL4df0LyFQGumsuMLLL38=
=iONq
-----END PGP SIGNATURE-----

--wac7ysb48OaltWcw--



--===============0601235300==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list

--===============0601235300==--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC