Heimdal releases prior to 0.6.1 and 0.5.3 have a cross-realm vulnerability allowing someone with control over a realm to impersonate anyone in the cross-realm trust path.
259dec0f92b706cac74eb9b8dc8d72650d17e97cbf936f9e2367234a60d97a99<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>2004-04-01: Cross-realm trust vulnerability in Heimdal</title>
<link rel="stylesheet" href="../../style.css" type="text/css"/>
</head>
<body>
<h1>2004-04-01: Cross-realm trust vulnerability in Heimdal</h1>
<p>
All releases prior to 0.6.1 and 0.5.3 have a cross-realm vulnerability
allowing someone with control over a realm to impersonate anyone in
the cross-realm trust path.
</p>
<p>
0.6.1 and 0.5.3 performs proper consistency checks on cross-realm
requests, as well as allowing for better control over transit checks.
</p>
<p>
If you are running a vulnerable KDC version and have established
cross-realm trust with anyone, we recommend that you disable this
trust and then upgrade to 0.6.1.
</p>
<p>
Too see if you have any cross-realm trust enabled you can list all
krbtgt principals in the database:
<pre class="example">
kadmin> get -t krbtgt/*
krbtgt/<MY.REALM>@<MY.REALM>
krbtgt/<MY.REALM>@<OTHER.REALM>
krbtgt/<OTHER.REALM>@<MY.REALM>
</pre>
If you have any <tt><OTHER.REALM></tt> variants, you can
temporarily disable them with:
<pre class="example">
kadmin> mod krbtgt/<MY.REALM>@<OTHER.REALM>
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:+disallow-all-tix
</pre>
You have to repeat this for all such principals as there is no easy
way to automate this. If you have a huge number to update, you will
probably have to dump the database, edit the dump, and reload.
</pre>
After upgrading the KDC you can reenable them with:
<pre class="example">
kadmin> mod krbtgt/<MY.REALM>@<OTHER.REALM>
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes [disallow-all-tix]:-disallow-all-tix
</pre>
<p>
See also <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0371">CAN-2004-0371</a>.
</p>
<p>
<a href="http://validator.w3.org/check/referer"><img
src="http://www.w3.org/Icons/valid-xhtml10"
alt="Valid XHTML 1.0!" height="31" width="88" /></a>
</p>
</body>
</html>
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed