SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Security)  >   Kerberos Vendors:   MIT
Kerberos AES and RC4 Integer Underflow May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1023440
SecurityTracker URL:  http://securitytracker.com/id/1023440
CVE Reference:   CVE-2009-4212   (Links to External Site)
Date:  Jan 12 2010
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5-1.3 to 5-1.6.4, 5-1.7
Description:   A vulnerability was reported in Kerberos. A remote user may be able to execute arbitrary code on the target system.

A remote user can send specially crafted ciphertext data to trigger an integer overflow in the AES and RC4 decryption operations of the MIT Kerberos crypto library and potentially execute arbitrary code on the target system. The code will run with the privileges of the target service.

Impact:   A remote user can execute arbitrary code on the target system or cause the target system to crash.
Solution:   The vendor has issued patches.

The upcoming krb5-1.7.1 and krb5-1.6.4 releases will include the fix.

The vendor's advisory is available at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-004.txt

Vendor URL:  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-004.txt (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 12 2010 (Red Hat Issues Fix) Kerberos AES and RC4 Integer Underflow May Let Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has issued a fix for Red Hat Enterprise Linux 3, 4, and 5, and Red Hat Enterprise Linux 4.7, 5.2, and 5.3 Extended Update Support.
Jan 13 2010 (Sun Issues Interim Fix) Kerberos AES and RC4 Integer Underflow May Let Remote Users Execute Arbitrary Code
Sun has issued an interim fix for Solaris 10.
May 6 2011 (HP Issues Fix for OpenVMS) Kerberos AES and RC4 Integer Underflow May Let Remote Users Execute Arbitrary Code
HP has issued a fix for OpenVMS.



 Source Message Contents

Date:  Tue, 12 Jan 2010 21:59:00 +0000
Subject:  Kerberos


http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-004.txt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2009-004

MIT krb5 Security Advisory 2009-004
Original release: 2010-01-12

Topic: integer underflow in AES and RC4 decryption

CVE-2009-4212
integer underflow in AES and RC4 decryption

CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score:      10

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: Complete
Integrity Impact:       Complete
Availability Impact:    Complete

CVSSv2 Temporal Score:  7.8

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

SUMMARY
=======

Integer underflow bugs in the AES and RC4 decryption operations of the
crypto library of the MIT Kerberos software can cause crashes, heap
corruption, or, under extraordinarily unlikely conditions, arbitrary
code execution.  Only releases krb5-1.3 and later are vulnerable, as
earlier releases did not contain the functionality implemented by the
vulnerable code.

This is an implementation vulnerability in MIT krb5, and is not a
vulnerability in the Kerberos protocol.

IMPACT
======

An unauthenticated remote attacker can, by inducing the decryption of
an invalid AES or RC4 ciphertext, cause a crash or heap corruption,
or, under extraordinarily unlikely conditions, arbitrary code
execution.  A successful code-execution attack against a KDC can
compromise all services relying on that KDC for authentication.
However, the most probable outcome is a crash due to a memory fault or
abort() call.  An attacker with a valid account in the relevant
Kerberos realm has a marginally higher chance of success to execute
arbitrary code, but the probability is still very low.  Therefore, the
given Confidentiality Impact and Integrity Impact metrics of
"Complete" represent theoretical worst-case scenarios and are both
more realistically characterized as "Partial".

AFFECTED SOFTWARE
=================

* KDC and application servers in MIT krb5-1.3 and later releases are
  vulnerable.  Earlier releases did not contain the functionality
  implemented by the vulnerable code.

* Third-party applications linked with the libraries from vulnerable
  releases are also vulnerable.

FIXES
=====

* The upcoming krb5-1.7.1 and krb5-1.6.4 releases will contain a fix
  for this vulnerability.

* For the krb5-1.7 release, apply the patch available at:

  http://web.mit.edu/kerberos/advisories/2009-004-patch_1.7.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2009-004-patch_1.7.txt.asc


* For the krb5-1.6 releases, apply the patch available at:

  http://web.mit.edu/kerberos/advisories/2009-004-patch_1.6.3.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2009-004-patch_1.6.3.txt.asc

* The krb5-1.6.3 patch might apply successfully to older releases.

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-004.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2009-4212
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4212

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/D9058C24 2009-01-26 [expires: 2010-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS
=======

The greatest risk is from AES decryption of invalid ciphertexts, which
can theoretically lead to arbitrary code execution under
extraordinarily unlikely conditions.  Other scenarios are more likely
to lead to denial of service.

This advisory makes some reasonable assumptions about the platform.
We assume that attempts to invoke malloc() to allocate nearly SIZE_MAX
bytes will fail, which is reasonable for conventional memory
architectures.  We also assume that the process has less than UINT_MAX
contiguous bytes of heap address space mapped, which is reasonable
given likely hardware and operating system configurations.

The Kerberos protocol specifications define the format of valid
ciphertexts encrypted with AES (in RFC 3962) or RC4 (in RFC 4757)
ciphers.  Valid ciphertexts have a minimum length, as they include
HMAC values and random confounders.  The implementation of the AES and
RC4 decryption operations does not adequately check that the provided
ciphertext meets the minimum length requirements of the ciphertext
format, and proceeds as if the minimums were already satisfied.  The
decryption operations perform integer subtractions that underflow when
the minimums are not satisfied.

The integer underflows can cause the AES decryption operation to write
to memory located before the caller's output buffer.  This behavior
represents the highest risk for execution of arbitrary code, but this
risk is still fairly small.  On platforms where malloc(0) (a request
to allocate zero bytes) returns a null pointer, this behavior will not
occur, because this null pointer result triggers adequate error
handling.

The data written during this event is the result of the AES-CTS
decryption of the 32 bytes preceding the input buffer.  The attacker
might not be able to directly influence the contents of the 32 bytes
preceding the input buffer, and might not know the encryption key that
will be used.  Without knowledge of the encryption key, the attacker
has effectively no chance to predict which byte values will be
written.  Due to the strong cryptographic properties of AES, for an
attacker who knows the encryption key but who does not have perfect
knowledge of the bytes to be decrypted, the probability of producing
the desired bytes is one in the number of possible uncontrolled values
of the bytes to be decrypted.

Other possible consequences of the integer underflow in the AES
decryption code include a crash due to an explicit abort() call inside
a section of code that checks (imperfectly) for invalid lengths.

The related integer underflow in the RC4 decryption code can cause an
attempt to copy nearly UINT_MAX bytes from the decryption buffer to
the output buffer, most likely causing a crash from a memory fault.
In the unlikely event that the copy does not fault (only really
possible on 64-bit platforms), there is a risk of heap corruption and
arbitrary code execution.

On 64-bit platforms, where an attempt to malloc() nearly UINT_MAX
bytes is more likely to succeed, the decryption code may attempt to
decrypt nearly UINT_MAX bytes, leading to either an ordinary
(correctly handled) error condition due to (almost certain) HMAC
validation failure or to a crash due to a memory fault (if decrypting
beyond the end of the input buffer crosses over into invalid address
space).

REVISION HISTORY
================

2010-01-12      original release

Copyright (C) 2009 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAktMqfAACgkQSO8fWy4vZo4cggCgoMQOq/CF68tdzP1n+BwneJG+
vrIAmwX9X8LeO6gOXW9X+2jetti2pYGG
=d7/O
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC