(Fedora Issues Fix for FC1) Kerberos 5 KDC Double-Free Errors May Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1011122 |
|
SecurityTracker URL: http://securitytracker.com/id/1011122
|
|
CVE Reference:
CAN-2004-0642, CAN-2004-0643
(Links to External Site)
|
Date: Sep 1 2004
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 1.3.4-5
|
Description:
Several double-free vulnerabilities were reported in the Kerberos 5 Key Distribution Center (KDC) software. A remote user may be able to execute arbitrary code and compromise the Kerberos domain.
The vendor reported that the ASN.1 decoder functions use inconsistent memory management conventions. Under certain error conditions, the ASN.1 decoders may free memory without nulling the corresponding pointers [CVE: CAN-2004-0642]. As a result, some library functions that receive errors from from the ASN.1 decoders may attempt to free the non-null pointers.
It is also reported that krb5_rd_cred() in versions prior to 1.3.2 frees already-freed buffers returned by the decode_krb5_enc_cred_part() function when an error is returned [CVE: CAN-2004-0643].
It is also reported that a patch introduced in version 1.2.8 to disable krb4 cross-realm authentication in krb524d contains a double-free vulnerability [CVE: CAN-2004-0772].
The vendor credits Will Fiveash and Nico Williams at Sun, Marc Horowitz, Nalin Dahyabhai, Joseph Galbraith, and John Hawkinson with discovering these flaws.
|
Impact:
A remote user may be able to execute arbitrary code on a target KDC system. This will compromise the entire Kerberos realm.
A reomte user may be able to execute arbitrary code on a target system running krb524d.
A remote user acting as a KDC or application server may be able to execute arbitrary code on a target client host while the client is authenticating.
|
Solution:
Fedora has released a fix, available at:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/
215744598787e8555852a42346523ff0 SRPMS/krb5-1.3.4-5.src.rpm
0bdb0a2c01e7682ac61009e86eb79c92 x86_64/krb5-devel-1.3.4-5.x86_64.rpm
575fa819175d43d6835867acb616da45 x86_64/krb5-libs-1.3.4-5.x86_64.rpm
2417f376a3f96de6514432efd70ba550 x86_64/krb5-server-1.3.4-5.x86_64.rpm
f79c01f71dd81127946c5e951ee3fa70 x86_64/krb5-workstation-1.3.4-5.x86_64.rpm
43fd30f8236c8a05edc726d7a9a318c9 x86_64/debug/krb5-debuginfo-1.3.4-5.x86_6=
4.rpm
90924e3b1aa64f7e0780613e49d97a77 x86_64/krb5-libs-1.3.4-5.i386.rpm
201f89557be28e3cbcf6c7e2d23187d0 i386/krb5-devel-1.3.4-5.i386.rpm
90924e3b1aa64f7e0780613e49d97a77 i386/krb5-libs-1.3.4-5.i386.rpm
0ea73ac3eeb55350d9ae5b2bcdf33059 i386/krb5-server-1.3.4-5.i386.rpm
69ecbbe96b6b900c0a8b5f5d76fffbab i386/krb5-workstation-1.3.4-5.i386.rpm
dfb27688cf0416cb9c051e9df0bbe5ab i386/debug/krb5-debuginfo-1.3.4-5.i386.rpm
The krb524 server vulnerability [CVE: CAN-2004-0772] does not affect Fedora Core.
|
Vendor URL: web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt (Links to External Site)
|
Cause:
State error
|
Underlying OS:
Linux (Red Hat Fedora)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 31 Aug 2004 14:24:47 -0400
Subject: [SECURITY] Fedora Core 1 Update: krb5-1.3.4-5
|
--===============0961163792==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="mYCpIKhGyMATD0i+"
Content-Disposition: inline
--mYCpIKhGyMATD0i+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-276
2004-08-31
---------------------------------------------------------------------
Product : Fedora Core 1
Name : krb5
Version : 1.3.4 =20
Release : 5 =20
Summary : The Kerberos network authentication system.
Description :
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords.
---------------------------------------------------------------------
Update Information:
Kerberos is a networked authentication system which uses a trusted
third party (a KDC) to authenticate clients and servers to each
other.
Several double-free bugs were found in the Kerberos 5 KDC and
libraries. A remote attacker could potentially exploit these flaws to
execute arbitrary code. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the names CAN-2004-0642 and
CAN-2004-0643 to these issues.
A double-free bug was also found in the krb524 server
(CAN-2004-0772), however this issue does not affect Fedora Core.
An infinite loop bug was found in the Kerberos 5 ASN.1 decoder
library. A remote attacker may be able to trigger this flaw and cause
a denial of service. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0644 to this issue.
---------------------------------------------------------------------
* Tue Aug 24 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.4-5
- incorporate revised fixes from Tom Yu for CAN-2004-0642, CAN-2004-0644,
CAN-2004-0772
* Mon Aug 23 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.4-4
- rebuild
* Mon Aug 23 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.4-3
- incorporate fixes from Tom Yu for CAN-2004-0642, CAN-2004-0772
(MITKRB5-SA-2004-002, #130732)
- incorporate fixes from Tom Yu for CAN-2004-0644 (MITKRB5-SA-2004-003, #13=
0732)
* Tue Jul 27 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.4-2
- fix indexing error in server sorting patch (#127336)
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Mon Jun 14 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.4-0.1
- update to 1.3.4 final
* Mon Jun 07 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.4-0
- update to 1.3.4 beta1
- remove MITKRB5-SA-2004-001, included in 1.3.4
* Mon Jun 07 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.3-8
- rebuild
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/
215744598787e8555852a42346523ff0 SRPMS/krb5-1.3.4-5.src.rpm
0bdb0a2c01e7682ac61009e86eb79c92 x86_64/krb5-devel-1.3.4-5.x86_64.rpm
575fa819175d43d6835867acb616da45 x86_64/krb5-libs-1.3.4-5.x86_64.rpm
2417f376a3f96de6514432efd70ba550 x86_64/krb5-server-1.3.4-5.x86_64.rpm
f79c01f71dd81127946c5e951ee3fa70 x86_64/krb5-workstation-1.3.4-5.x86_64.rpm
43fd30f8236c8a05edc726d7a9a318c9 x86_64/debug/krb5-debuginfo-1.3.4-5.x86_6=
4.rpm
90924e3b1aa64f7e0780613e49d97a77 x86_64/krb5-libs-1.3.4-5.i386.rpm
201f89557be28e3cbcf6c7e2d23187d0 i386/krb5-devel-1.3.4-5.i386.rpm
90924e3b1aa64f7e0780613e49d97a77 i386/krb5-libs-1.3.4-5.i386.rpm
0ea73ac3eeb55350d9ae5b2bcdf33059 i386/krb5-server-1.3.4-5.i386.rpm
69ecbbe96b6b900c0a8b5f5d76fffbab i386/krb5-workstation-1.3.4-5.i386.rpm
dfb27688cf0416cb9c051e9df0bbe5ab i386/debug/krb5-debuginfo-1.3.4-5.i386.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command. =20
---------------------------------------------------------------------
--mYCpIKhGyMATD0i+
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBNMJrN5vOV3hoi/URAnb8AKCULnNn3DmE8sqyYhHsnmbnw8b/2QCg4Yt7
feruXXynPyxb51cOe9kpjgQ=
=/R5W
-----END PGP SIGNATURE-----
--mYCpIKhGyMATD0i+--
--===============0961163792==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list
--===============0961163792==--
|
|
