__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Kerberos krb5 Vulnerabilities [Kerberos - Security Advisories 2004-002 & 2004-003] August 31, 2004 18:00 GMT Number O-208 [REVISED 02 Sep 2004] [REVISED 06 Dec 2004] ______________________________________________________________________________ PROBLEM: Double-free errors in the Kerberos 5 KDC and libraries, and an infinite loop bug in the Kerberos 5 ASN.1 decoder library have been found. SOFTWARE: MIT Kerberos krb5 KDC PLATFORMS: Red Hat Enterprise Linux AS, ES, and WS (v.3) Red Hat Enterprise Linux AS, ES, and WS (v.2.1) Debian GNU/Linux 3.0 (woody) Cisco VPN 3000 Series Concentrators Sun Solaris 9: Sparc and x86 Mac OS X v10.2.x and v10.3.x Mac OS X Servers v10.2.x and v10.3.x DAMAGE: Vulnerabilities allow execution of arbitrary code or can trigger a denial of service attack. SOLUTION: Install appropriate vendor update packages. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. A remote attacker could gain root access, ASSESSMENT: execute arbitrary code, or cause a denial of service attack. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-208.shtml ORIGINAL BULLETINS: http://web.mit.edu/kerberos/www/advisories/ MITKRB5-SA-2004-002-dblfree.txt http://web.mit.edu/kerberos/www/advisories/ MITKRB5-SA-2004-003-asn1.txt ADDITIONAL LINKS: - Red Hat RHSA-2004:350-12: https://rhn.redhat.com/errata/RHSA-2004-350.html - Red Hat RHSA-2004:448-13: https://rhn.redhat.com/errata/RHSA-2004-448.html - Debian DSA-543-1: http://www.debian.org/security/2004/dsa-543 - CISCO Document ID: 61720 http://www.cisco.com/en/US/products/ products_security_advisory09186a00802b3cf9.shtml - Sun Document ID 57631 http://sunsolve.sun.com/search/document.do?assetkey= 1-26-57631-1&searchclause=security Apple Security Update 2004-12-02 (Also on CIAC P-049) http://docs.info.apple.com/article.html?artnum=61798 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0642 CAN-2004-0643 CAN-2004-0644 CAN-2004-0772 ______________________________________________________________________________ REVISION HISTORY: 09/02/2004 - added link to Sun's Security Alert. 12/06/2004 - Added Apple products to Platforms. Added link to Apple's Security Update 2004-12-02. This information also on our CIAC Bulletin P-049. [***** Start Kerberos Security Advisory 2004-002 *****] -----BEGIN PGP SIGNED MESSAGE----- MIT krb5 Security Advisory 2004-002 Original release: 2004-08-31 Topic: double-free vulnerabilities in KDC and libraries Severity: CRITICAL SUMMARY ======= The MIT Kerberos 5 implementation's Key Distribution Center (KDC) program contains a double-free vulnerability that potentially allows a remote attacker to execute arbitrary code. Compromise of a KDC host compromises the security of the entire authentication realm served by the KDC. Additionally, double-free vulnerabilities exist in MIT Kerberos 5 library code, making client programs and application servers vulnerable. Exploitation of double-free bugs is believed to be difficult. No exploits are known to exist for these vulnerabilities. IMPACT ====== * A unauthenticated remote attacker can potentially execute arbitrary code on a KDC host, compromising an entire Kerberos realm. [CAN-2004-0642] * A remote attacker can potentially execute arbitrary code on a host running krb524d, possibly compromising an entire Kerberos realm if the host is a KDC host. [CAN-2004-0772] * An authenticated attacker can also potentially execute arbitrary code on hosts running vulnerable services. [CAN-2004-0643] * An attacker impersonating a legitimate KDC or application server can potentially execute arbitrary code on a client host while the client is authenticating. [CAN-2004-0642] AFFECTED SOFTWARE ================= * KDC software from all releases of MIT Kerberos 5 up to and including krb5-1.3.4. [CAN-2004-0642] * The krb524d program from krb5-1.2.8 and later. The krb524d present in earlier releases is vulnerable if it has been patched to disable krb4 cross-realm functionality. [CAN-2004-0772] * Applications calling the krb5_rd_cred() function in releases prior to krb5-1.3.2. Such applications in the MIT krb5 releases include the remote login daemons (krshd, klogind, and telnetd) and the FTP daemon. The krb5_rd_cred() function decrypts and decodes forwarded Kerberos credentials. Third-party applications calling this function directly or indirectly (by means of the GSSAPI or other libraries) are vulnerable. [CAN-2004-0643] * Client code from all releases of MIT Kerberos 5 up to and including krb5-1.3.4. Third-party applications directly or indirectly calling client library functions may also be vulnerable. [CAN-2004-0642] FIXES ===== * The upcoming krb5-1.3.5 release will contain fixes for these problems. * Apply the appropriate patch or patches referenced below, and rebuild the software. - If you are running krb5-1.3 through krb5-1.3.4, apply 2004-002-patch_1.3.4.txt. - If you are running krb5-1.3 through krb5-1.3.1, apply 2004-002-patch_1.3.1.txt. - If you are running krb5-1.2.8, apply 2004-002-patch_1.2.8.txt. - Things become more complicated if you are running krb5-1.2 through krb5-1.2.7. The correct set of patches to apply will depend on whether you have applied the patches to disable krb4 cross-realm functionality [MITKRB5-SA-2003-004]. + If you are running krb5-1.2.6 through krb5-1.2.7, and have applied the patches to disable krb4 cross-realm functionality, apply 2004-002-patch_1.2.8.txt. + If you are running krb5-1.2 through krb5-1.2.5, and have applied the patches to disable krb4 cross-realm functionality, apply 2004-002-patch_1.2.7.txt, followed by 2004-002-k524d_patch_1.2.5.txt. + If you are running krb5-1.2 through krb5-1.2.7, and have not applied the patches to disable krb4 cross-realm functionality, apply 2004-002-patch_1.2.7.txt. Summary chart of patches to apply for releases krb5-1.2 through krb5-1.2.7: | patched for 2003-004 | not patched for 2003-004 -----------+--------------------------------+-------------------------- krb5-1.2.7 | | -----------+ 2004-002-patch_1.2.8.txt | krb5-1.2.6 | | -----------+--------------------------------+ 2004-002-patch_1.2.7.txt krb5-1.2.5 | 2004-002-patch_1.2.7.txt | through | and | krb5-1.2 | 2004-002-k524d_patch_1.2.5.txt | Patches available: * Patch for krb5-1.3.4 (2004-002-patch_1.3.4.txt) * Patch for krb5-1.3.1 (2004-002-patch_1.3.1.txt) * Patch for krb5-1.2.8 (2004-002-patch_1.2.8.txt) * Patch for krb5-1.2.7 (2004-002-patch_1.2.7.txt) * Patch for krb524d in krb5-1.2.5 which has been previously patched to disable krb4 cross-realm (2004-002-k524d_patch_1.2.5.txt) Note: Each patch are generated against the specific release noted above. The patches may apply with some offset against other compatible releases listed above. 2004-002-patch_1.3.4.txt ======================== http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.4.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.4.txt.asc 2004-002-patch_1.3.1.txt ======================== http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.1.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.1.txt.asc 2004-002-patch_1.2.8.txt ======================== http://web.mit.edu/kerberos/advisories/2004-002-patch_1.2.8.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/advisories/2004-002-patch_128.txt.asc 2004-002-patch_1.2.7.txt ======================== http://web.mit.edu/kerberos/advisories/2004-002-patch_1.2.7.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/advisories/2004-002-patch_1.2.7.txt.asc 2004-002-k524d_patch_1.2.5.txt ============================== http://web.mit.edu/kerberos/advisories/2004-002-k524d_patch_1.2.5.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/advisories/2004-002-k524d_patch_1.2.5.txt.asc REFERENCES ========== This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CERT VU#795632 http://www.kb.cert.org/vuls/id/795632 CVE CAN-2004-0642 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0642 KDC and client libraries double-free on error conditions in MIT Kerberos 5 releases krb5-1.3.4 and earlier, allowing unauthenticated remote attackers to execute arbitrary code CERT VU#866472 http://www.kb.cert.org/vuls/id/866472 CVE CAN-2004-0643 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0643 krb5_rd_cred() double-frees on error conditions in MIT Kerberos 5 releases krb5-1.3.1 and earlier, allowing authenticated attackers to execute arbitrary code VU#350792 http://www.kb.cert.org/vuls/id/350792 CVE CAN-2004-0772 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0772 krb524d in krb5-1.2.8 and later double-frees on error conditions, allowing remote attackers to execute arbitrary code. Earlier releases patched for the krb4 protocol vulnerability [MITKRB5-SA-2003-004] are also vulnerable. ACKNOWLEDGMENTS =============== Thanks to Will Fiveash and Nico Williams at Sun for finding some of these vulnerabilities and for providing initial patches. Thanks to Marc Horowitz for discovering the krb524d vulnerability. Thanks to Nalin Dahyabhai for providing a corrected patch for krb524d in releases krb5-1.2 through krb5-1.2.5 in cases where krb524d has been patched to disable krb4 cross-realm functionality. Thanks to Joseph Galbraith and John Hawkinson, who both independently discovered the double-free in krb5_rd_cred() which was corrected in release krb5-1.3.2. DETAILS ======= In the MIT krb5 library, in all releases up to and including krb5-1.3.4, ASN.1 decoder functions and their callers do not use a consistent set of memory management conventions. The callers expect the decoders to allocate memory. The callers typically have error-handling code which frees memory allocated by the ASN.1 decoders if pointers to the allocated memory are non-null. Upon encountering error conditions, the ASN.1 decoders themselves free memory which they have allocated, but do not null the corresponding pointers. When some library functions receive errors from the ASN.1 decoders, they attempt to pass the non-null pointer (which points to freed memory) to free(), causing a double-free. In all releases of MIT krb5 up to and including krb5-1.3.4, cleanup code in the KDC frees memory returned by ASN.1 decoders. This cleanup code only frees memory pointed to by non-null pointers, but if an ASN.1 decoder returns an error, the cleanup code will free memory previously freed by the decoder. Implementations of krb5_rd_cred() prior to the krb5-1.3.2 release contained code to explicitly free the buffer returned by the ASN.1 decoder function decode_krb5_enc_cred_part() when the decoder returns an error. This is another double-free, since the decoder would itself free the buffer on error. Since decode_krb5_enc_cred_part() does not get called unless the decryption of the encrypted part of the KRB-CRED is successful, the attacker needs to have authenticated. This code was corrected in the krb5-1.3.2 release. The patch (introduced in krb5-1.2.8 and present in all subsequent releases) for disabling krb4 cross-realm authentication in krb524d introduced a double-free vulnerability. If handle_classic_v4() denies the conversion of a cross-realm ticket, v5tkt->enc_part2 gets freed but not nulled, so do_connection() double-frees many things when it subsequently calls krb5_free_ticket(). REVISION HISTORY ================ 2004-08-31 original release Copyright (C) 2004 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (SunOS) iQCVAwUBQTTAUabDgE/zdoE9AQHSFwP/S0bIduge4dDmZiTlDEUa5L1CjESpAq3O 905Ru47xTmKqKpCC6cpIxpFqeXZAZkc8HzIp4kaZUNJ3+cik2Mg+YSdP5mM9ys67 geZZoF6pufgh9Ym4gMK6YJjYxsJgSrEbcpgrYv710GEy1SqsE2o7O0Y5WSYv3Df+ 8Nz22+QoVzw= =dpRb -----END PGP SIGNATURE----- [***** End Kerberos Security Advisory: 2004-2002 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of MIT, Red Hat, Inc., and Debian for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) CIACTech04-002: Rootkit Backdoor Trigger Detection Strings O-199: Cisco IOS Malformed OSPF Packet Causes Reload O-200: Updated PAM Packages O-201: Qt Package Vulnerabilities O-202: Buffer Overflow in the CDE Mailer dtmail(1X) O-203: Cisco Secure Access Control Server Vulnerabilities O-204: Netscape NSS Library Suite Remote Buffer Overflow O-205: Adobe Acrobat Reader Uuencoding Buffer Overflow O-206: Entrust LibKmp Library Vulnerabilities O-207: Cisco IOS Telnet Denial of Service Vulnerability