SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Kerberos Vendors:   MIT
Kerberos 5 KDC Double-Free Errors May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1011106
SecurityTracker URL:  http://securitytracker.com/id/1011106
CVE Reference:   CVE-2004-0642, CVE-2004-0643, CVE-2004-0772   (Links to External Site)
Date:  Aug 31 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.3.4 and prior versions
Description:   Several double-free vulnerabilities were reported in the Kerberos 5 Key Distribution Center (KDC) software. A remote user may be able to execute arbitrary code and compromise the Kerberos domain.

The vendor reported that the ASN.1 decoder functions use inconsistent memory management conventions. Under certain error conditions, the ASN.1 decoders may free memory without nulling the corresponding pointers [CVE: CVE-2004-0642]. As a result, some library functions that receive errors from from the ASN.1 decoders may attempt to free the non-null pointers.

It is also reported that krb5_rd_cred() in versions prior to 1.3.2 frees already-freed buffers returned by the decode_krb5_enc_cred_part() function when an error is returned [CVE: CVE-2004-0643].

It is also reported that a patch introduced in version 1.2.8 to disable krb4 cross-realm authentication in krb524d contains a double-free vulnerability [CVE: CVE-2004-0772].

The vendor credits Will Fiveash and Nico Williams at Sun, Marc Horowitz, Nalin Dahyabhai, Joseph Galbraith, and John Hawkinson with discovering these flaws.

Impact:   A remote user may be able to execute arbitrary code on a target KDC system. This will compromise the entire Kerberos realm.

A reomte user may be able to execute arbitrary code on a target system running krb524d.

A remote user acting as a KDC or application server may be able to execute arbitrary code on a target client host while the client is authenticating.

Solution:   A fixed version (krb5-1.3.5) is planned for release shortly.

Several patches are available. For krb5-1.3 through krb5-1.3.4, apply 2004-002-patch_1.3.4.txt. For krb5-1.3 through krb5-1.3.1, apply 2004-002-patch_1.3.1.txt. For krb5-1.2.8, apply 2004-002-patch_1.2.8.txt.

For krb5-1.2 through krb5-1.2.7, see the advisory for detailed instructions about which patch to apply.

2004-002-patch_1.3.4.txt:

http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.4.txt

The associated detached PGP signature is at:

http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.4.txt.asc

2004-002-patch_1.3.1.txt:

http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.1.txt

The associated detached PGP signature is at:

http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.1.txt.asc

2004-002-patch_1.2.8.txt:

http://web.mit.edu/kerberos/advisories/2004-002-patch_1.2.8.txt

The associated detached PGP signature is at:

http://web.mit.edu/kerberos/advisories/2004-002-patch_128.txt.asc

2004-002-patch_1.2.7.txt:

http://web.mit.edu/kerberos/advisories/2004-002-patch_1.2.7.txt

The associated detached PGP signature is at:

http://web.mit.edu/kerberos/advisories/2004-002-patch_1.2.7.txt.asc

2004-002-k524d_patch_1.2.5.txt:

http://web.mit.edu/kerberos/advisories/2004-002-k524d_patch_1.2.5.txt

The associated detached PGP signature is at:

http://web.mit.edu/kerberos/advisories/2004-002-k524d_patch_1.2.5.txt.asc

Vendor URL:  web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 31 2004 (Cisco Issues Fix for VPN 3000) Kerberos 5 KDC Double-Free Errors May Let Remote Users Execute Arbitrary Code
Cisco has issued a fix for the VPN 3000 Concentrator series, which is affected by the Kerberos vulnerability.
Aug 31 2004 (Debian Issues Fix) Kerberos 5 KDC Double-Free Errors May Let Remote Users Execute Arbitrary Code
Debian has released a fix.
Aug 31 2004 (Red Hat Issues Fix for RHEL) Kerberos 5 KDC Double-Free Errors May Let Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 2.1.
Aug 31 2004 (Red Hat Issues Fix for RHEL) Kerberos 5 KDC Double-Free Errors May Let Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 3.
Sep 1 2004 (Fedora Issues Fix for FC1) Kerberos 5 KDC Double-Free Errors May Let Remote Users Execute Arbitrary Code
Fedora has released a fix for Fedora Core 1.
Sep 11 2004 (Conectiva Issues Fix) Kerberos 5 KDC Double-Free Errors May Let Remote Users Execute Arbitrary Code
Conectiva has released a fix.
Oct 1 2004 (IBM Issues Fix for AIX) Kerberos 5 KDC Double-Free Errors May Let Remote Users Execute Arbitrary Code
IBM has issued a fix for AIX.
Dec 2 2004 (Apple Issues Fix for OS X) Kerberos 5 KDC Double-Free Errors May Let Remote Users Execute Arbitrary Code
Apple has released a fix for Mac OS X.
Dec 29 2004 (Conectiva Issues Fix) Kerberos 5 KDC Double-Free Errors May Let Remote Users Execute Arbitrary Code
Conectiva has released a fix.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC