(Gentoo Issues Fix) Kerberos Buffer Overflows in krb5_aname_to_localname() May Let Remote Users Gain Root Access
|
|
SecurityTracker Alert ID: 1010612 |
|
SecurityTracker URL: http://securitytracker.com/id/1010612
|
|
CVE Reference:
CAN-2004-0523
(Links to External Site)
|
Date: Jun 30 2004
|
Impact:
Execution of arbitrary code via network, Root access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 5-1.3.3 and prior versions
|
Description:
Some buffer overflow vulnerabilities were reported in Kerberos 5 in the krb5_aname_to_localname() function. A remote user may be able to gain root access on the target system.
MIT reported that there are several overflows in the krb5_aname_to_localname() library function. According to the report, an "unusual combination" of factors are required to successfully exploit the flaw, including authenticating to a vulnerable service using a principal name explicitly listed in the mapping list.
The report also indicates that default configurations of the target service are not affected. Only those configurations that enable the explicit mapping or rules-based mapping functionality of krb5_aname_to_localname() are reported to be vulnerable.
If the rules-based mapping functionality is enabled, the remote user must first create an arbitrary principal name in the local Kerberos realm or in a remote realm that is accessible via cross-realm authentication.
It is reported that various remote login services (e.g., ftp, rsh, rlogin, telnet) are affected, as well as ksu. Other services that use the krb5 library may be affected if they use the vulnerable function, the report said.
|
Impact:
In certain cases, a remote user may be able to execute arbitrary code with root privileges.
|
Solution:
Gentoo has released a fix and indicates that mit-krb5 users should upgrade to the latest version:
# emerge sync
# emerge -pv ">=app-crypt/mit-krb5-1.3.3-r1"
# emerge ">=app-crypt/mit-krb5-1.3.3-r1"
|
Vendor URL: web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-001-an_to_ln.txt (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Gentoo)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 29 Jun 2004 16:23:42 +0000
Subject: [gentoo-announce] [ GLSA 200406-21 ] mit-krb5: Multiple buffer overflows in krb5_aname_to_localname
|
--FhvelBhrd33NvMcY
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200406-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: mit-krb5: Multiple buffer overflows in
krb5_aname_to_localname
Date: June 29, 2004
Bugs: #52744
ID: 200406-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
mit-krb5 contains multiple buffer overflows in the function
krb5_aname_to_localname(). This could potentially lead to a complete
remote system compromise.
Background
==========
mit-krb5 is the free implementation of the Kerberos network
authentication protocol by the Massachusetts Institute of Technology.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-crypt/mit-krb5 <= 1.3.3 >= 1.3.3-r1
Description
===========
The library function krb5_aname_to_localname() contains multiple buffer
overflows. This is only exploitable if explicit mapping or rules-based
mapping is enabled. These are not enabled as default.
With explicit mapping enabled, an attacker must authenticate using a
principal name listed in the explicit mapping list.
With rules-based mapping enabled, an attacker must first be able to
create arbitrary principal names either in the local realm Kerberos
realm or in a remote realm from which the local realm's service are
reachable by cross-realm authentication.
Impact
======
An attacker could use these vulnerabilities to execute arbitrary code
with the permissions of the user running mit-krb5, which could be the
root user.
Workaround
==========
There is no known workaround at this time. All users are encouraged to
upgrade to the latest available version.
Resolution
==========
mit-krb5 users should upgrade to the latest version:
# emerge sync
# emerge -pv ">=app-crypt/mit-krb5-1.3.3-r1"
# emerge ">=app-crypt/mit-krb5-1.3.3-r1"
References
==========
[ 1 ] CAN-2004-0523
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0523
[ 2 ] MIT krb5 Security Advisory
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-001-an_to_ln.txt
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200406-21.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2004 Gentoo Technologies, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/1.0
--FhvelBhrd33NvMcY
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA4ZeOJPpRNiftIEYRAnyPAJ9VCgwoZZhZKphiK6nSUVeRLa84mwCgkO63
LKhUnxjxdCVTIzpHKzjD3yE=
=nvPx
-----END PGP SIGNATURE-----
--FhvelBhrd33NvMcY--
|
|
