(Conectiva Issues Fix) Kerberos Buffer Overflows in krb5_aname_to_localname() May Let Remote Users Gain Root Access
|
|
SecurityTracker Alert ID: 1012719 |
|
SecurityTracker URL: http://securitytracker.com/id/1012719
|
|
CVE Reference:
CAN-2004-0523
(Links to External Site)
|
Date: Dec 29 2004
|
Impact:
Execution of arbitrary code via network, Root access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 5-1.3.3 and prior versions
|
Description:
Some buffer overflow vulnerabilities were reported in Kerberos 5 in the krb5_aname_to_localname() function. A remote user may be able to gain root access on the target system.
MIT reported that there are several overflows in the krb5_aname_to_localname() library function. According to the report, an "unusual combination" of factors are required to successfully exploit the flaw, including authenticating to a vulnerable service using a principal name explicitly listed in the mapping list.
The report also indicates that default configurations of the target service are not affected. Only those configurations that enable the explicit mapping or rules-based mapping functionality of krb5_aname_to_localname() are reported to be vulnerable.
If the rules-based mapping functionality is enabled, the remote user must first create an arbitrary principal name in the local Kerberos realm or in a remote realm that is accessible via cross-realm authentication.
It is reported that various remote login services (e.g., ftp, rsh, rlogin, telnet) are affected, as well as ksu. Other services that use the krb5 library may be affected if they use the vulnerable function, the report said.
|
Impact:
In certain cases, a remote user may be able to execute arbitrary code with root privileges.
|
Solution:
Conectiva has released a fix.
ftp://atualizacoes.conectiva.com.br/10/SRPMS/krb5-1.3.3-62470U10_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-server-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-apps-servers-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-devel-static-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-client-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-doc-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-devel-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-apps-clients-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/krb5-1.2.7-28721U90_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-devel-static-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-devel-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-client-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-doc-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-apps-clients-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-apps-servers-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-server-1.2.7-28721U90_3cl.i386.rpm
|
Vendor URL: web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-001-an_to_ln.txt (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Conectiva)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 9 Sep 2004 20:54:06 -0300
Subject: [Conectiva-updates] [CLA-2004:860] Conectiva Security Announcement
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : krb5
SUMMARY : Multiple vulnerabilities in Kerberos 5
DATE : 2004-09-09 20:53:00
ID : CLA-2004:860
RELEVANT
RELEASES : 9, 10
- -------------------------------------------------------------------------
DESCRIPTION
The "krb5" packages are MIT's[1] implementation of the Kerberos 5
authentication protocol.
This announcement fixes several vulnerabilities listed in the
advisories MITKRB5-SA-2004-001[2], MITKRB5-SA-2004-002[3] and
MITKRB5-SA-2004-003[4]:
1. Buffer overflows in krb5_aname_to_localname() (CAN-2004-0523[5])
The krb5_aname_to_localname() library function contains multiple
buffer overflows vulnerabilities[5] which could be exploited to gain
unauthorized root access. Exploitation of these flaws requires an
unusual combination of factors, including successful authentication
to a vulnerable service and a non-default configuration on the target
service. This announcement updates the correction used to the patch
provided by Bill Dodd.
2. Several double-free vulnerabilities in KDC and libraries
(CAN-2004-0642[6], CAN-2004-0643[7], CAN-2004-0772[8])
The MIT Kerberos 5 implementation's Key Distribution Center (KDC)
program contains a double-free vulnerability that potentially allows
a remote attacker to execute arbitrary code. Additionally,
double-free vulnerabilities exist in MIT Kerberos 5 library code,
making client programs and application servers vulnerable. The
vulnerability in krb524d was discovered by Marc Horowitz; the other
double-free vulnerabilities were discovered by Will Fiveash and Nico
Williams
at Sun.
3. ASN.1 decoder denial of service (CAN-2004-0644[9])
Will Fiveash and Nico Williams also found a denial-of-service
vulnerability[9] in the ASN.1 decoder library in the MIT Kerberos 5
distribution which could lead to an infinite loop in the decoder,
allowing an unauthenticated remote attacker to cause a KDC or
application server to hang inside an infinite loop and an attacker
impersonating a legitimate KDC or application server to cause a
client program to hang inside an infinite loop.
SOLUTION
It is recommended that all Kerberos users in Conectiva Linux upgrade
their packages. Please note that the service will be automatically
restarted after the upgrade if it was already running.
Several applications can make use of the Kerberos libraries. Those
applications have to be restarted as well.
REFERENCES
1.http://web.mit.edu/Kerberos/www/index.html
2.http://web.mit.edu/Kerberos/www/advisories/MITKRB5-SA-2004-001-an_to_ln.txt
3.http://web.mit.edu/Kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt
4.http://web.mit.edu/Kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txt
5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0523
6.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0642
7.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0643
8.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0772
9.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0644
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/10/SRPMS/krb5-1.3.3-62470U10_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-server-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-apps-servers-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-devel-static-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-client-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-doc-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-devel-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/krb5-apps-clients-1.3.3-62470U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/krb5-1.2.7-28721U90_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-devel-static-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-devel-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-client-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-doc-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-apps-clients-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-apps-servers-1.2.7-28721U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/krb5-server-1.2.7-28721U90_3cl.i386.rpm
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions regarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFBQO0d42jd0JmAcZARAhQWAJ9XTIOwgf+6dapxACFPabt64qBWdACdHjsx
KFGcVXgw29vt/C5QdBBRh/o=
=RNsz
-----END PGP SIGNATURE-----
______________________________________________________________________
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
|
|
