(IBM Issues Fix for AIX) Kerberos kadmin 'gss_buffer_t' May Be Freed Twice Allowing Remote Authenticated Users to Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1017859 |
|
SecurityTracker URL: http://securitytracker.com/id/1017859
|
|
CVE Reference:
CVE-2007-1216
(Links to External Site)
|
Date: Apr 3 2007
|
Impact:
Execution of arbitrary code via network, Root access via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): krb5-1.4 through krb5-1.6
|
Description:
A vulnerability was reported in Kerberos in the administration daemon. A remote authenticated user can execute arbitrary code on the target system.
The krb5 GSS-API kg_unseal_v1() function may free the gss_buffer_t buffer that an application may later free again (via the gss_release_buffer() function) under certain error conditions. As a result, arbitrary code may be executed. The Kerberos key database can be compromised.
The vulnerability resides in the GSS-API library. As a result, some third-party applications may be affected.
This vulnerability was discovered using the SAP AG GSSTEST test program.
|
Impact:
A remote authenticated user can execute arbitrary code on the target system.
|
Solution:
IBM has issued the following fixes.
For AIX 5.2.0: Install Network Authentication Service version 1.4.0.6 or 1.3.0.6.
For AIX 5.3.0: Install Network Authentication Service version 1.3.0.6 or 1.4.0.6. Version 1.4.0.6 will available on the AIX 5L for POWER V5.3 Expansion Pack in November 2007.
|
Vendor URL: web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-003.txt (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
UNIX (AIX)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 3 Apr 2007 17:14:40 -0400
Subject: IBM AIX
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Tue Apr 3 13:39:48 CDT 2007
===========================================================================
VULNERABILITY SUMMARY
VULNERABILITY: A double free vulnerability may allow an attacker to
execute arbitrary code.
PLATFORMS: Network Authentication Service 1.3 and 1.4
for AIX 5.2 and AIX 5.3.
SOLUTION: Apply the fixes described below.
THREAT: A remote attacker may execute arbitrary code on the
host running kadmind
CERT VU Number: VU#419344
CVE Number: CVE-2007-1216
===========================================================================
DETAILED INFORMATION
I. Description
===============
The MIT Kerberos team recently reported various vulnerabilities in Kerberos
version 5. Kerberos is available for AIX via Network Authentication Service
on the Expansion Pack. Network Authentication Service for AIX is not
affected by MITKRB5-SA-2007-001 (CVE-2007-0956, VU#220816) or
MITKRB5-SA-2007-002 (CVE-2007-0957, VU#704024).
MITKRB5-SA-2007-003 (CVE-2007-1216,VU#419344) may allow an attacker to
execute arbitrary code on the host running kadmind. kamind runs as root so
the attacker could execute arbitrary code with root privileges. More
information about security vulnerabilities in MIT kerberos can be found at
http://web.mit.edu/kerberos/advisories/.
The following versions of Network Authentication Service are vulnerable:
* Network Authentication Service 1.3.0.0 through 1.3.0.5
* Network Authentication Service 1.4.0.0 through 1.4.0.5
To determine which version of Network Authentication Service is installed,
execute the following commands:
# lslpp -L krb5.client.rte
# lslpp -L krb5.server.rte
If the filesets are installed they will be listed along with version
information, state, type and a description. The first command prints
information for the client fileset and the second command prints
information for the server fileset. Affected hosts should upgrade all
affected Network Authentication Service filesets that are installed.
II. Impact
==========
A remote attacker may cause execute arbitrary code on a host running
kadmind.
III. Solutions
===============
A. Fix
IBM provides the following fixes:
AIX 5.2.0: Install Network Authentication Service version 1.4.0.6 or
1.3.0.6. Customers may contact AIX Support to request either
versions.
AIX 5.3.0: Install Network Authentication Service version
1.3.0.6 or 1.4.0.6. Customers may contact AIX Support to request
either versions. Version 1.4.0.6 will also available on the AIX 5L
for POWER V5.3 Expansion Pack available in November 2007. (form
number LCD4-7460-08).
IV. Contact Information
========================
If you would like to receive AIX Security Advisories via email, please visit:
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs
Comments regarding the content of this announcement can be directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@austin.ibm.com
with a subject of "get key". The key can also be downloaded from a
PGP Public Key Server. The key id is 0x3AE561C3.
Please contact your local IBM AIX support center for any assistance.
eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their
respective holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGEqcoofN/JhsU8pkRAluTAJ9J0smH2t6XqiWxBleXFl2JyHs8gwCeLIkH
/kSu7212zFcPS3gydTCQTwo=
=6m3V
-----END PGP SIGNATURE-----
|
|
