SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   Kerberos Vendors:   MIT
(IBM Issues Fix for AIX) Kerberos 5 ASN.1 Decoder Infinite Loop Lets Remote Users Deny Service
SecurityTracker Alert ID:  1011477
SecurityTracker URL:  http://securitytracker.com/id/1011477
CVE Reference:   CAN-2004-0644   (Links to External Site)
Date:  Oct 1 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.2.2 through 1.3.4
Description:   A denial of service vulnerability was reported in Kerberos 5 in the ASN.1 decoder library. A remote user can cause a Key Distribution Center (KDC) or an application server to enter an infinite loop.

The vendor reported that if the ASN.1 SEQUENCE type was encoded with an indefinite length, the asn1bug_snc() function will attempt to skip any trailing unrecognized fields with the asn1buf_skiptail() function. The asn1buf_skiptail() function does not properly handle certain error conditions and may enter an infinite loop.

The vendor credits Will Fiveash and Nico Williams at Sun with discovering this vulnerability.
Impact:   A remote user can cause the KDC or application server to enter an infinite loop.
Solution:   IBM has issued the following fixes:

For AIX 5.1.0: Upgrade to version 1.3.0.2 or version 1.4.0.1.

For AIX 5.2.0: Upgrade to version 1.4.0.1.

For AIX 5.3.0: Upgrade to version 1.4.0.1.
Vendor URL:  web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txt (Links to External Site)
Cause:   State error
Underlying OS:   UNIX (AIX)

Message History:   This archive entry is a follow-up to the message listed below.
Aug 31 2004 Kerberos 5 ASN.1 Decoder Infinite Loop Lets Remote Users Deny Service


 Source Message Contents
Date:  Fri, 1 Oct 2004 00:36:00 -0400
Subject:  [none]


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Thu Sep 30 14:42:06 CDT 2004

===========================================================================
                           VULNERABILITY SUMMARY

VULNERABILITY:      Double free vulnerabilities may result in a denial of
                    service or allow an attacker to execute arbitrary code.
                    A vulnerability in the ASN.1 decoder library may
                    allow an attacker to cause an infinite loop
                    resulting in a denial of service.

PLATFORMS:          AIX 5.1, AIX 5.2 and AIX 5.3.

SOLUTION:           Apply the fixes described below.

THREAT:             A remote attacker may execute arbitrary code or cause
                    a denial of service against a KDC or kerberoized
                    daemon or client.

CERT VU Number:     VU#795632 (CAN-2004-0642), VU#866472 (CAN-2004-0643)
                    and VU#550464 (CAN-2004-0644)
===========================================================================
                           DETAILED INFORMATION


I.  Description
===============
The MIT Kerberos team recently reported various vulnerabilities in Kerberos
version 5. AIX includes several kerberoized applications which are affected
by these vulnerabilities. The applications include NFS version 4.0; the
LDAP, KRB5 and KRB5A authentication modules; OpenSSH and the secure
r-commands (rsh, krshd, rlogin, krlogind, ftp, ftpd and telnet, telnetd
when configured to use Kerberos). Kerberos is available for AIX via Network
Authentication Service on the Expansion Pack.

VU#795632 (CAN-2004-0642) and VU#866472 (CAN-2004-0643) may allow an
attacker to execute arbitrary code on a KDC, kerberoized daemon or
kerberoized client. VU#550464 (CAN-2004-0644) may be exploited to cause a
KDC, kerberoized daemon or kerberoized client to hang in an infinite loop
resulting in a denial of service. More information about these
vulnerabilities can be found in MIT krb5 security advisories 2004-002 and
2004-003 which are located at http://web.mit.edu/kerberos/advisories/.

The following versions of Network Authentication Service are vulnerable:

     * Network Authentication Service 1.3.0.1 and earlier
     * Network Authentication Service 1.4.0.0

To determine what version of Network Authentication Service is installed,
execute the following commands:

# lslpp -L krb5.client.rte
# lslpp -L krb5.server.rte

If the filesets are installed they will be listed along with version
information, state, type and a description. The first command prints
information for the client fileset and the second command prints
information for the server fileset. Affected hosts should upgrade all
affected Network Authentication Service filesets that are installed.


II. Impact
==========

A remote attacker may cause a denial of service or execute arbitrary code.

III.  Solutions
===============

A. Official Fix
IBM provides the following fixes:

      AIX 5.1.0: Customers using version 1.3.0.1 and earlier may contact your
                 local IBM AIX support center to request version 1.3.0.2 or
                 version 1.4.0.1.
                 Customers using version 1.4.0.0 may contact your local IBM AIX
                 support center to request version 1.4.0.1.
                 Customers may upgrade to version 1.4.0.1 available on the
                 AIX 5L for POWER V5.1 Expansion Pack
                 (form number LCD4-1079-10). The Expansion Pack will be
                 available on 12/03/04.
      AIX 5.2.0: Customers using version 1.4.0.0 may contact your local
                 IBM AIX support center to request version 1.4.0.1.
                 Customers may upgrade to version 1.4.0.1 available on the
                 AIX 5L for POWER V5.2 Expansion Pack
                 (form number LCD4-1142-06). The Expansion Pack will be
                 available on 12/03/04.
      AIX 5.3.0: Customers using version 1.4.0.0 may contact your local
                 IBM AIX support center to request version 1.4.0.1.
                 Customers may upgrade to version 1.4.0.1 available on the
                 AIX 5L for POWER V5.3 Expansion Pack
                 (form number LCD4-7460-01). The Expansion Pack will be
                 available on 12/03/04.


IV.  Contact Information
========================

If you would like to receive AIX Security Advisories via email, please visit:
     https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

     security-alert@austin.ibm.com

To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@austin.ibm.com
with a subject of "get key". The key can also be downloaded from a
PGP Public Key Server. The key id is 0x3AE561C3.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their
respective holders.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFBXHsj+0ah+jrlYcMRAmeQAKCj6l2DrmFg9UZFReH869x9HP/ZGgCeLFkL
wMz17Zunf35TbkyfgU1F15Q=
=4aTd
-----END PGP SIGNATURE-----


IBM, eServer and pSeries are trademarks or registered trademarks of International 
Business Machines Corporation in the United States or other countries, or both.
ALL INFORMATION IS PROVIDED BY IBM ON AN "AS IS" BASIS ONLY. IBM PROVIDES NO 
REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES 
OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY AND NONINFRINGMENT.
This document may be copied provided all text is included and copies contain IBM's 
copyright notice and any other notices provided herein.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC