(Red Hat Issues Fix for the Vulnerability in the Original Patch) Kerberos kadmind Stack Overflow and Uninitialized Pointer Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1018664 |
|
SecurityTracker URL: http://securitytracker.com/id/1018664
|
|
CVE Reference:
CVE-2007-4743
(Links to External Site)
|
Date: Sep 7 2007
|
Impact:
Execution of arbitrary code via network, Root access via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): krb5-1.4 through krb5-1.6.2
|
Description:
Two vulnerabilities were reported in Kerberos. A remote user can execute arbitrary code on the target system.
A remote user can send specially crafted data to trigger a stack overflow in the krb5 Kerberos administration daemon (kadmind) in RPCSEC_GSS authentication RPC library [CVE-2007-3999]. Arbitrary code can be executed on the target system, typically with root privileges.
Third-party applications that use the RPC library may be affected.
Tenable Network Security reported this vulnerability via TippingPoint.
A remote authenticated user with 'modify policy' privileges can exploit an uninitialized pointer in kadmind to write arbitrary data to memory [CVE-2007-4000]. Arbitrary code can be executed on the target system, typically with root privileges.
Garrett Wollman of MIT CSAIL reported this vulnerability.
|
Impact:
A remote user can execute arbitrary code on the target system with root privileges.
|
Solution:
On September 5, 2007, MIT reported that the original patch for svc_auth_gss.c [CVE-2007-3999] itself contained a buffer overflow. This new vulnerability was assigned CVE number CVE-2007-4743. The MIT advisory has been updated to include a corrected patch. MIT credits Kevin Coffman (UMich), Will Fiveash (Sun), and Nico Williams (Sun) with discovering the flaw in the original patch.
Red Hat has released a fix for the vulnerability in the original patch.
The Red Hat advisory is available at:
https://rhn.redhat.com/errata/RHSA-2007-0892.html
|
Vendor URL: web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-006.txt (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Red Hat Enterprise)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Fri, 7 Sep 2007 08:34:14 -0400
Subject: [RHSA-2007:0892-01] Important: krb5 security update
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ---------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Important: krb5 security update
Advisory ID: RHSA-2007:0892-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0892.html
Issue date: 2007-09-07
Updated on: 2007-09-07
Product: Red Hat Enterprise Linux
CVE Names: CVE-2007-4743
- ---------------------------------------------------------------------
1. Summary:
Updated krb5 packages that correct a security flaw are now available for
Red Hat Enterprise Linux 5.
This update has been rated as having important security impact by the Red
Hat Security Response Team.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
3. Problem description:
Kerberos is a network authentication system which allows clients and
servers to authenticate to each other through use of symmetric encryption
and a trusted third party, the KDC. kadmind is the KADM5 administration
server.
The MIT Kerberos Team discovered a problem with the originally published
patch for svc_auth_gss.c (CVE-2007-3999). A remote unauthenticated
attacker who can access kadmind could trigger this flaw and cause kadmind
to crash. On Red Hat Enterprise Linux 5 it is not possible to exploit this
flaw to run arbitrary code as the overflow is blocked by FORTIFY_SOURCE.
(CVE-2007-4743)
This issue did not affect the versions of Kerberos distributed with Red
Hat Enterprise Linux 2.1, 3, or 4.
Users of krb5-server are advised to update to these erratum packages which
contain a corrected backported fix for this issue.
4. Solution:
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188
5. Bug IDs fixed (http://bugzilla.redhat.com/):
281561 - CVE-2007-4743 krb5 incomplete fix for CVE-2007-3999
6. RPMs required:
Red Hat Enterprise Linux Desktop (v. 5 client):
SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/krb5-1.5-29.src.rpm
825ddbdc5d0d34099fc4ad64d36f4319 krb5-1.5-29.src.rpm
i386:
49c6bed26fe92556ea56746ef315eb4a krb5-debuginfo-1.5-29.i386.rpm
00fd7d19bdfb7206bc203e7320250761 krb5-libs-1.5-29.i386.rpm
3ef36114368f3cbd86e062c07271948c krb5-workstation-1.5-29.i386.rpm
x86_64:
49c6bed26fe92556ea56746ef315eb4a krb5-debuginfo-1.5-29.i386.rpm
1faafca4b40f16e908c61dcdc3d790ab krb5-debuginfo-1.5-29.x86_64.rpm
00fd7d19bdfb7206bc203e7320250761 krb5-libs-1.5-29.i386.rpm
c164118f540ee1bac62d882fe9dec19f krb5-libs-1.5-29.x86_64.rpm
de907c36f79439aaa445ae73c5582fce krb5-workstation-1.5-29.x86_64.rpm
RHEL Desktop Workstation (v. 5 client):
SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/krb5-1.5-29.src.rpm
825ddbdc5d0d34099fc4ad64d36f4319 krb5-1.5-29.src.rpm
i386:
49c6bed26fe92556ea56746ef315eb4a krb5-debuginfo-1.5-29.i386.rpm
bf248e6abade39c2ecaa8243566b6cc7 krb5-devel-1.5-29.i386.rpm
d5218610f15e702055e6cb3bc34397dc krb5-server-1.5-29.i386.rpm
x86_64:
49c6bed26fe92556ea56746ef315eb4a krb5-debuginfo-1.5-29.i386.rpm
1faafca4b40f16e908c61dcdc3d790ab krb5-debuginfo-1.5-29.x86_64.rpm
bf248e6abade39c2ecaa8243566b6cc7 krb5-devel-1.5-29.i386.rpm
891392dc7551dc50ea8dc2b5f2bca601 krb5-devel-1.5-29.x86_64.rpm
e4fff97ed9a00cb8771a58292bb48f06 krb5-server-1.5-29.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/krb5-1.5-29.src.rpm
825ddbdc5d0d34099fc4ad64d36f4319 krb5-1.5-29.src.rpm
i386:
49c6bed26fe92556ea56746ef315eb4a krb5-debuginfo-1.5-29.i386.rpm
bf248e6abade39c2ecaa8243566b6cc7 krb5-devel-1.5-29.i386.rpm
00fd7d19bdfb7206bc203e7320250761 krb5-libs-1.5-29.i386.rpm
d5218610f15e702055e6cb3bc34397dc krb5-server-1.5-29.i386.rpm
3ef36114368f3cbd86e062c07271948c krb5-workstation-1.5-29.i386.rpm
ia64:
49c6bed26fe92556ea56746ef315eb4a krb5-debuginfo-1.5-29.i386.rpm
9d9511b38b21062bf111b31b107ec5e1 krb5-debuginfo-1.5-29.ia64.rpm
30bf7d79eddef0731ba4e24cf5b8c741 krb5-devel-1.5-29.ia64.rpm
00fd7d19bdfb7206bc203e7320250761 krb5-libs-1.5-29.i386.rpm
af876b898ae7ac055ec340fa7356a9e0 krb5-libs-1.5-29.ia64.rpm
a725ad3b4aa57a14759bb0970433180e krb5-server-1.5-29.ia64.rpm
887a69b951556747567a5dc626a13ecf krb5-workstation-1.5-29.ia64.rpm
ppc:
34840ec80856925d05d1709c6b7a9057 krb5-debuginfo-1.5-29.ppc.rpm
aae4c19acb133fa168a3b6fe109ae65b krb5-debuginfo-1.5-29.ppc64.rpm
4165e2b7aa9153668a199781ecba6d19 krb5-devel-1.5-29.ppc.rpm
cfca3e64c19bae40f0ecab452649ec31 krb5-devel-1.5-29.ppc64.rpm
f366aa3cec08f584c88767cfa6612206 krb5-libs-1.5-29.ppc.rpm
851aef665207ae0ad32ef7b0532aad7d krb5-libs-1.5-29.ppc64.rpm
27f30dfe5a9759a9a4358c3b04f038f5 krb5-server-1.5-29.ppc.rpm
da64453a2cd7040eb79a967a1f633b47 krb5-workstation-1.5-29.ppc.rpm
s390x:
c3c6509037d412fba7591f5c58981964 krb5-debuginfo-1.5-29.s390.rpm
59efad893592df25629631142465b895 krb5-debuginfo-1.5-29.s390x.rpm
ef30b93ebdb3be79c2967195fc05857a krb5-devel-1.5-29.s390.rpm
6cbf3138061196eae451d90333f5dc1b krb5-devel-1.5-29.s390x.rpm
f0c64ed436eb6af72084e148eaf07a1c krb5-libs-1.5-29.s390.rpm
5218436ecb5a97de43f96585e76d3776 krb5-libs-1.5-29.s390x.rpm
d53dfdf1222dc096a228a73a49e3a361 krb5-server-1.5-29.s390x.rpm
14e97979433df3744f68e4f0058f482a krb5-workstation-1.5-29.s390x.rpm
x86_64:
49c6bed26fe92556ea56746ef315eb4a krb5-debuginfo-1.5-29.i386.rpm
1faafca4b40f16e908c61dcdc3d790ab krb5-debuginfo-1.5-29.x86_64.rpm
bf248e6abade39c2ecaa8243566b6cc7 krb5-devel-1.5-29.i386.rpm
891392dc7551dc50ea8dc2b5f2bca601 krb5-devel-1.5-29.x86_64.rpm
00fd7d19bdfb7206bc203e7320250761 krb5-libs-1.5-29.i386.rpm
c164118f540ee1bac62d882fe9dec19f krb5-libs-1.5-29.x86_64.rpm
e4fff97ed9a00cb8771a58292bb48f06 krb5-server-1.5-29.x86_64.rpm
de907c36f79439aaa445ae73c5582fce krb5-workstation-1.5-29.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package
7. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4743
http://www.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/
Copyright 2007 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFG4UU6XlSAg2UNWIIRAhO5AKC7gHkdSG9rUATXMsypIS3efUMYrwCfWc19
azayK7ZGnL2IH4aBxeXFmHI=
=HtRq
-----END PGP SIGNATURE-----
--
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list
|
|
