__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Denial of Service Vulnerabilities in Kerberos 4 KDC Programs June 13, 2000 17:00 GMT Number K-051 ______________________________________________________________________________ PROBLEM: A Denial of Service vulnerability was found in implementations of Kerberos 4 KDC programs. Another Denial of Service vulnerability exists in the kerb5-1.1.x KDC implementations. These vulnerabilities are IN ADDITION to those announced in the CIAC Bulletin "K-043b: Buffer Overrun Vulnerabilities in Kerberos". PLATFORM: Those running these source distributions: 1) MIT Kerberos 5 releases krb5-1.0x, krb5-1.1, krb5-1.1.1 2) MIT Kerberos 4 patch 10, and probably earlier releases as well 3) KerbNet (Cygnus implementation of Kerberos 5) 4) Cygnus Network Security (CNS -- Cygnus implementation of Kerberos 4) 5) KTH-krb4 before version 0.10 DAMAGE: These vulnerabilities allow a remote user to perform a Denial of Service attack. SOLUTION: Apply the patches given in the earlier CIAC Bulletin K-043b, and then apply the patches given in the advisory below. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. The most severe vulnerability allows remote ASSESSMENT: intruders to disrupt normal operations of the Key Distribution Center (KDC), but it does not lead to a root compromise. ______________________________________________________________________________ [ Start CERT/CC Advisory ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CERT Advisory CA-2000-11 MIT Kerberos Vulnerable to Denial-of-Service Attacks Original release date: June 9, 2000 Last revised: -- Source: The MIT Kerberos Team, CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems with MIT-derived implementations of the Kerberos 4 KDC * Systems with MIT-derived implementations of the Kerberos 5 KDC enabled to handle krb4 ticket requests Overview The CERT Coordination Center has recently been notified of several potential buffer overflow vulnerabilities in the Kerberos authentication software. The most severe vulnerability allows remote intruders to disrupt normal operations of the Key Distribution Center (KDC) if an attacker is able to send malformed requests to a realm's key server. MIT reports that the following versions are vulnerable to one or more of these vulnerabilities: * MIT Kerberos 5 releases krb5-1.0.x, krb5-1.1, krb5-1.1.1 * MIT Kerberos 4 patch 10, and probably earlier releases as well * KerbNet (Cygnus implementation of Kerberos 5) * Cygnus Network Security (CNS -- Cygnus implementation of Kerberos 4) Other versions may be affected as well. The vulnerabilities discussed in this advisory are different than the ones discussed in CA-2000-06, Multiple Buffer Overflows in Kerberos Authenticated Services. The primary difference is in the impact: the new vulnerabilities do not appear to allow remote execution of arbitrary code since the buffers being overrun are statically declared. In addition, only Kerberos 4 and Kerberos 5 KDC servers that can service version 4 ticket requests are affected by the buffer overflows discussed here. I. Description There are at least five distinct vulnerabilities in various versions and implementations of the Kerberos software. All of these vulnerabilities may be exploited to effect denial-of-service attacks with varying degrees of severity. These vulnerabilities include * The buffer used to hold the variable lastrealm in the function set_tgtkey() can be owerflowed. * The buffer used to hold the variable localrealm in the function process_v4() can be overflowed. * The buffer to hold the variable e_msg in the function kerb_err_reply() can be overflowed. * The code that services AUTH_MSG_KDC_REQUESTs does not properly check for null-termination. * Memory that has previously been freed may be improperly freed again, possibly resulting in unstable operation. The MIT Kerberos Team Advisory The MIT Kerberos Team described these vulnerabilities in more detail in an advisory they recently issued. This advisory is available at http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt II. Impact Depending on the version of kerberos, the environment in which its running, and the particular vulnerability that is exploited, a remote attacker can cause one or more of the following: * The KDC to issue invalid tickets for all principles, * The KDC to generate a "principal unknown" error, or * The KDC process to crash. Any new authentications to kerberized services will not be possible until the KDC is restarted. Note that this implies that operation of "kerberized" services will be halted until the KDC is stopped. It does not appear that any of these vulnerabilities allows the execution of code by an intruder. Additional detail can be found in the MIT advisory. III. Solution Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. Apply the MIT patches If you are running a Kerberos distribution from MIT and can rebuild your binaries from source, you can apply the source code patches from MIT to correct these problems. These patches are available in the MIT Advisory. If you are running other MIT-derived implementations, you need to apply the appropriate vendor patches and recompile the KDC server software. Disable Kerberos version 4 authentication in Kerberos version 5 if possible As suggested by MIT, krb4 authentication in some daemons can be disabled at run time by supplying command-line options to the KDC server. Optionally, the krb5 distribution may be compiled with the option '--without-krb4' to disable all krb4 ticket handling by default. Upgrade to MIT Kerberos 5 version 1.2 The vulnerabilities described in this advisory will be addressed in Kerberos 5 version 1.2. This version will be available from the MIT Kerberos web site: http://web.mit.edu/kerberos/www/ Appendix A. Vendor Information MIT Kerberos The MIT Kerberos Team advisory on this topic is available from: http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt BSDI BSDI is working on a patch for this problem and will announce it via our normal channels as soon as it is available. NetBSD Versions of kerberos which have been integrated into released versions of NetBSD and distributed as part of the optional, not-for-export "secr" sets are vulnerable to some of the problems cited in the advisory. Integration of the fixes is in progress and will be announced in a NetBSD security advisory when complete. University of Washington [...] we don't distribute client or server binaries with MIT Kerberos support. We distribute source that allows building on UNIX and PC with MIT Kerberos. A site which wants to use Kerberos must build our software (e.g. Pine, imapd, ipop[23]d) locally in order to use MIT Kerberos. I did not see anything in this alert that specifically indicates a problem for [our] clients or servers. As with all other software built with MIT Kerberos, it would be prudent for a site that uses our software with MIT Kerberos to rebuild it with the patched version of MIT Kerberos. _________________________________________________________________ The CERT Coordination Center thanks Tom Yu and the MIT Kerberos Team for notifying us about these problem and their help in developing this advisory. _________________________________________________________________ Jeff Havrilla was the primary author of the CERT/CC portions of this document. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2000-11.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2000 Carnegie Mellon University, portions copyright MIT University. Revision History June 9, 2000: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA+AwUBOUFiJVr9kb5qlZHQEQIUIQCXTUeGxhNzkNyK68SlBGfFBcKvRQCfV0SD tkaHNO/JcqwISZps0WN6QGE= =3mms -----END PGP SIGNATURE----- [ End CERT/CC Advisory ] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of The MIT Kerberos Team and CERT/CC for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) K-038: Security Holes in FileMaker 5 Web Companion K-039: VBS.LoveLetter.A Worm K-040: Netscape Navigator Improperly Validates SSL Sessions K-041: Denial of Service and File Reading Vulnerabilities K-042: Microsoft "Office 2000 UA Control" Vulnerability K-043: Buffer Overrun Vulnerabilities in Kerberos K-044: Microsoft: Vulnerabilities in Internet Explorer K-045: SGI Vulnerability in infosrch.cgi K-046: 386-BSD Based Operating Systems - IPCS Vulnerability K-048: Permissions Problems with FrontPage Extensions K-049: Microsoft IE "SSL Certificate Validation" Vulnerability