(HP Issues Fix for OpenVMS) MIT Kerberos Checksum Handling Errors May Let Remote or Remote Authenticated Users Forge/Modify Certain Data
|
|
SecurityTracker Alert ID: 1025497 |
|
SecurityTracker URL: http://securitytracker.com/id/1025497
|
|
CVE Reference:
CVE-2010-1323
(Links to External Site)
|
Date: May 6 2011
|
Impact:
Modification of authentication information, Modification of system information
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
Several vulnerabilities were reported in Kerberos. A remote or remote authenticated user can forge certain signatures and modify checksums.
The software incorrectly accepts an unkeyed checksum with DES session keys for version 2 (RFC 4121) of the GSS-API krb5 mechanism , an unkeyed checksum for PAC signatures, and RFC 3961 key-derivation checksums using RC4 keys when verifying the req-checksum in a KrbFastArmoredReq [CVE-2010-1324].
A remote user can forge GSS tokens if the targeted pre-existing application session uses a DES session key. A remote authenticated user can forge PACs when using a KDC that does not filter client-provided PAC data to obtain elevated privileges. A remote user can swap a client-issued KrbFastReq into a different KDC-REQ if the armor key is RC4 (1/256 chance).
The software incorrectly accepts unkeyed checksums in the SAM-2 preauthentication challenge and incorrectly accepts RFC 3961 key-derivation checksums using RC4 keys when verifying KRB-SAFE messages [CVE-2010-1323].
A remote user can modify a SAM-2 challenge, affecting the prompt text seen by the user or the kind of response sent to the KDC. A remote user can forge KRB-SAFE messages in an application protocol if the targeted pre-existing session uses an RC4 session key.
The software incorrectly accepts RFC 3961 key-derivation checksums using RC4 keys when verifying AD-SIGNEDPATH and AD-KDC-ISSUED authorization data [CVE-2010-4020].
A remote authenticated user that controls a legitimate service principal can forge the AD-SIGNEDPATH signature if the TGT key is RC4 (1/256 chance). The remote user can use self-generated "evidence" tickets for S4U2Proxy instead of tickets obtained from the user or with S4U2Self. A remote authenticated user can forge AD-KDC-ISSUED signatures on authdata elements in tickets having an RC4 service key to gain elevated privileges.
The software (version krb5-1.7 only) may issue tickets not requested by a client, based on an attacker-chosen KrbFastArmoredReq [CVE-2010-4021].
A remote authenticated user that controls a legitimate service principal can obtain a valid service ticket to itself containing valid KDC-generated authorization data for a client whose TGS-REQ it has intercepted. The user can then use this ticket for S4U2Proxy to impersonate the targeted client even if the client never authenticated to the subverted service.
|
Impact:
A remote or remote authenticated user can forge certain signatures and modify checksums.
|
Solution:
HP has issued a fix (3.2) for CVE-2010-1323 for OpenVMS Alpha and OpenVMS Integrity servers, available at:
http://h71000.www7.hp.com/openvms/products/kerberos
The HP advisory is available at:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02824440
|
Vendor URL: web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt (Links to External Site)
|
Cause:
Access control error, Authentication error
|
Underlying OS:
OpenVMS
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Fri, 06 May 2011 05:06:14 +0000
Subject: HPSBOV02682 SSRT100495 rev.1 - HP OpenVMS running Kerberos, Remote Denial of Service (DoS), Execution of Arbitrary Code, Unauthorized Modification
|
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02824440
CVE-2008-0062, CVE-2008-0947, CVE-2008-0948, CVE-2009-0846, CVE-2009-4212, CVE-2010-1323
|
|
