exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Technical Cyber Security Alert 2004-247A

Technical Cyber Security Alert 2004-247A
Posted Sep 9, 2004
Authored by US-CERT | Site cert.org

Technical Cyber Security Alert TA04-247A - The MIT Kerberos 5 implementation contains several vulnerabilities, the most severe of which could allow an unauthenticated, remote attacker to execute arbitrary code on a Kerberos Distribution Center (KDC). This could result in the compromise of an entire Kerberos realm.

tags | advisory, remote, arbitrary, vulnerability
SHA-256 | c6e533b36d77ffb637b867f87f533c2281ca5e526e202509a4017524a1282136

Technical Cyber Security Alert 2004-247A

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA04-247A


Vulnerabilities in MIT Kerberos 5

Original release date: September 3, 2004
Last revised: --
Source: US-CERT


Systems Affected

* MIT Kerberos 5 versions prior to krb5-1.3.5

* Applications that use versions of MIT Kerberos 5 libraries prior
to krb5-1.3.5

* Applications that contain code derived from MIT Kerberos 5

Updated vendor information is available in the systems affected
section of the individual vulnerability notes.


Overview

The MIT Kerberos 5 implementation contains several vulnerabilities,
the most severe of which could allow an unauthenticated, remote
attacker to execute arbitrary code on a Kerberos Distribution Center
(KDC). This could result in the compromise of an entire Kerberos
realm.


I. Description

There are several vulnerabilities in the MIT implementation of the
Kerberos 5 protocol. With one exception (VU#550464), all of the
vulnerabilities involve insecure deallocation of heap memory
(double-free vulnerabilities) during error handling and Abstract
Syntax Notation One (ASN.1) decoding. For further details, please see
the following vulnerability notes:

VU#795632 - MIT Kerberos 5 ASN.1 decoding functions insecurely
deallocate memory (double-free)

The MIT Kerberos 5 library does not securely deallocate heap memory
when decoding ASN.1 structures, resulting in double-free
vulnerabilities. An unauthenticated, remote attacker could execute
arbitrary code on a KDC server, which could compromise an entire
Kerberos realm. An attacker may also be able to execute arbitrary code
on Kerberos clients, or cause a denial of service on KDCs or clients.
(Other resources: MITKRB5-SA-2004-002, CAN-2004-0642)

VU#866472 - MIT Kerberos 5 ASN.1 decoding function krb5_rd_cred()
insecurely deallocates memory (double-free)

The krb5_rd_cred() function in the MIT Kerberos 5 library does not
securely deallocate heap memory when decoding ASN.1 structures,
resulting in a double-free vulnerability. A remote, authenticated
attacker could execute arbitrary code or cause a denial of service on
any system running an application that calls krb5_rd_cred(). This
includes Kerberos application servers and other applications that
process Kerberos authentication via the MIT Kerberos 5 library,
Generic Security Services Application Programming Interface (GSSAPI),
and other libraries.
(Other resources: MITKRB5-SA-2004-002, CAN-2004-0643)

VU#350792 - MIT Kerberos krb524d insecurely deallocates memory
(double-free)

The MIT Kerberos krb524d daemon does not securely deallocate heap
memory when handling an error condition, resulting in a double-free
vulnerability. An unauthenticated, remote attacker could execute
arbitrary code on a system running krb524d, which in many cases is
also a KDC. The compromise of a KDC system can lead to the compromise
of an entire Kerberos realm. An attacker may also be able to cause a
denial of service on a system running krb524d.
(Other resources: MITKRB5-SA-2004-002, CAN-2004-0772)

VU#550464 - MIT Kerberos 5 ASN.1 decoding function asn1buf_skiptail()
does not properly terminate loop

The asn1buf_skiptail() function in the MIT Kerberos 5 library does not
properly terminate a loop, allowing an unauthenticated, remote
attacker to cause a denial of service in a KDC, application server, or
Kerberos client.
(Other resources: MITKRB5-SA-2004-003, CAN-2004-0644)


II. Impact

The impacts of these vulnerabilities vary, but an attacker may be able
to execute arbitrary code on KDCs, systems running krb524d (typically
also KDCs), application servers, applications that use Kerberos
libraries directly or via GSSAPI, and Kerberos clients. An attacker
could also cause a denial of service on any of these systems.

The most severe vulnerabilities could allow an unauthenticated, remote
attacker to execute arbitrary code on a KDC system. This could result
in the compromise of both the KDC and an entire Kerberos realm.


III. Solution

Apply a patch or upgrade

Check with your vendor(s) for patches or updates. For information
about a specific vendor, please see the systems affected sections in
the individual vulnerability notes or contact your vendor directly.

Alternatively, apply the appropriate source code patch(es) referenced
in MITKRB5-SA-2004-002 and MITKRB5-SA-2004-003 and recompile.

These vulnerabilities will be addressed in krb5-1.3.5.


Appendix A. References

* Vulnerability Note VU#795632 -
<http://www.kb.cert.org/vuls/id/795632>

* Vulnerability Note VU#866472 -
<http://www.kb.cert.org/vuls/id/866472>

* Vulnerability Note VU#350792 -
<http://www.kb.cert.org/vuls/id/350792>

* Vulnerability Note VU#550464 -
<http://www.kb.cert.org/vuls/id/550464>

* MIT krb5 Security Advisory 2004-002 -
<http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfre
e.txt>

* MIT krb5 Security Advisory 2004-003 -
<http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-as
n1.txt>

* Kerberos: The Network Authentication Protocol -
<http://web.mit.edu/kerberos/www/>

_______________________________________________________________________

Thanks to Tom Yu and the MIT Kerberos Development team for addressing
these vulnerabilities and coordinating with vendors. MIT credits the
following people: Will Fiveash, Joseph Galbraith, John Hawkinson, Marc
Horowitz, and Nico Williams.
_______________________________________________________________________


Feedback can be directed to the author: Art Manion

_______________________________________________________________________

This document is available from:

<http://www.us-cert.gov/cas/techalerts/TA04-245A.html>
_______________________________________________________________________


Copyright 2004 Carnegie Mellon University. Terms of use

Terms of use: <http://www.us-cert.gov/legal.html>

_______________________________________________________________________

Revision History

September 3, 2004: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBOM3iXlvNRxAkFWARAs9xAKC23q9EekPz/InQVWZPeUVhH4bnKwCgkVfh
vKAOqE4sCXyydZ4BKnNreK8=
=7R1M
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close