__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN krb5 Security Update [MIT krb5 Security Advisories SA-2005-002 and SA-2005-003] July 12, 2005 22:00 GMT Number P-249 [REVISED 19 Jul 2005] [REVISED 20 Jul 2005] [REVISED 02 Aug 2005] [REVISED 05 Aug 2005] [REVISED 15 Aug 2005] [REVISED 16 Aug 2005] [REVISED 14 Sep 2005] [REVISED 04 Oct 2005] [REVISED 05 Oct 2005] ______________________________________________________________________________ PROBLEM: Vulnerabilities were discovered in the MIT krb5 Key Distribution Center (KDC). Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. PLATFORM: CAN-2005-1174: All MIT krb5 releases supporting TCP client connections to the KDC. This includes krb5-1.3 and later releases, up to and including krb5-1.4.1 CAN-2005-1175: All MIT krb releases up to and including krb5-1.4.1. Third-party application servers which use MIT krb5 are also affected. CAN-2005-1689: The kpropd daemon in all releases of MIT krb5, up to and including krb5-1.4.1, are vulnerable. The klogind and krshd remote-login daemons in all releases of MIT krb5, up to and including krb5-1.4.1, is vulnerable. Third-party application programs which call krb5-recvauth() are also vulnerable. Red Hat Desktop (v. 3 and v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 2.1, v. 3, v. 4) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor Solaris 7, 8, 9, and 10 Operating Systems, Sun Enterprise Authentication Mechanism Software Debian 3.0 (woody) SGI ProPack 3 Service Pack 6 DAMAGE: Heap buffer overflow in the Kerberos KDC may allow an attacker to execute malicious code. A double-free error in krb5_recvauth() library routine may allow an attacker to execute arbitrary code. Also an attacker could trigger an invalid free() and cause a denial of service. SOLUTION: Apply the security updates. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. An attacker may be able to execute arbitrary ASSESSMENT: code on the KDC with elevated privileges, cause a denial of service, or possibly compromise an entire Kerberos realm. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-249.shtml ORIGINAL BULLETINS: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2005-002-kdc.txt http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2005-003-recvauth.txt ADDITIONAL LINKS: Red Hat Security Advisory RHSA-2005:567-08 https://rhn.redhat.com/errata/RHSA-2005-567.html Red Hat Security Advisory RHSA-2005:562-15 https://rhn.redhat.com/errata/RHSA-2005-562.html Sun Security Alert ID: 101809 http://www.sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-101809-1 Sun Security Alert ID: 101810 http://www.sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-101810-1 Debian Security Advisory DSA-757-1 http://www.debian.org/security/2005/dsa-757 SGI Security Advisory Security Update #44 http://www.sgi.com/support/security/advisories.html SGI Security Advisory Security Update #44 ftp://patches.sgi.com/support/free/security/advisories/20050703-01-U.asc CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2005-1689, CAN-2005-1174, CAN-2005-1175 ______________________________________________________________________________ REVSION HISTORY: 07/19/2005 - revised to add a link to Debian Security Advisory DSA-757-1 for Debian 3.0 (woody). 07/20/2005 - revised to add a link to SGI Security Advisory SGI Advanced Linux Environment 3 Security Update #44 Patch 10190 for SGI ProPack 3 Service Pack 6. 08/02/2005 - revised to reflect change to Sun Advisories 101809 and 101810. The change is to the Update Contributing Factors and Resolution sections. 08/05/2005 - revised to reflect change to Sun Advisories 101810. The change is to the Update Contributing Factors and Resolution sections. 08/15/2005 - revised to add a link to SGI Security Advisory SGI Advanced Linux Environment 3 Security Update #44 patch 10190 for SGI ProPack 3 Service Pack 6. 08/16/2005 - updated Contributing Factors and Resolution sections 09/14/2005 - revised to reflect change to Contributing Factors and Resolution Sections of Sun Advisory 101809. 10/04/2005 - revised to reflect change to Contributing Factors and Resolution Sections of Sun Advisory 101809. 10/05/2005 - reference Red Hat's update to RHSA-2005:562 that provides updated krb5-server packages for Red Hat Enterprise Linux 3 WS and Red Hat Enterprise Linux 3 Desktop. [***** Start MIT krb5 Security Advisories SA-2005-002 and SA-2005-003 *****] -----BEGIN PGP SIGNED MESSAGE----- MIT krb5 Security Advisory 2005-002 Original release: 2005-07-12 Topic: buffer overflow, heap corruption in KDC Severity: CRITICAL SUMMARY ======= The MIT krb5 Key Distribution Center (KDC) implementation can corrupt the heap by attempting to free memory at a random address when it receives a certain unlikely (but valid) request via a TCP connection. This attempt to free unallocated memory can result in a KDC crash and consequent denial of service. [CAN-2005-1174, VU#259798] Additionally, the same request, when received by the KDC via either TCP or UDP, can trigger a bug in the krb5 library which results in a single-byte overflow of a heap buffer. Application servers are vulnerable to a highly improbable attack, provided that the attacker controls a realm sharing a cross-realm key with the target realm. [CAN-2005-1175, VU#885830] An unauthenticated attacker may be able to use these vulnerabilities to execute arbitrary code on the KDC host, potentially compromising an entire Kerberos realm. No exploit code is known to exist at this time. Exploitation of these vulnerabilities is believed to be difficult. IMPACT ====== An unauthenticated attacker may be able to execute arbitrary code on the KDC host, potentially compromising an entire Kerberos realm. An unsuccessful attack against the heap corruption vulnerability may result in a denial of service by crashing the KDC process. AFFECTED SOFTWARE ================= * [CAN-2005-1174] affects the KDC implementation in all MIT krb5 releases supporting TCP client connections to the KDC. This includes krb5-1.3 and later releases, up to and including krb5-1.4.1. * [CAN-2005-1175] affects KDC implementations and application servers in all MIT krb5 releases, up to and including krb5-1.4.1. Third-party application servers which use MIT krb5 are also affected. FIXES ===== * The upcoming krb5-1.4.2 release will have fixes for these vulnerabilities. * WORKAROUNDS: Disabling TCP support in the KDC avoids one vulnerability [CAN-2005-1174]. The single-byte overflow [CAN-2005-1175] is still possible even without KDC TCP support enabled. Running the KDC from init or from some similar automatic respawning facility may reduce the durations of denials of service, but this approach may make it difficult to detect deliberate attacks targeted at code execution. * Apply the patch at: http://web.mit.edu/kerberos/advisories/2005-002-patch_1.4.1.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/advisories/2005-002-patch_1.4.1.txt.asc The patch was generated against the krb5-1.4.1 release. It may apply, with some offset, to earlier releases. On releases prior to krb5-1.3, only the patch to lib/krb5/krb/unparse.c should be necessary. REFERENCES ========== This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVE: CAN-2005-1174 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1174 CERT: VU#259798 http://www.kb.cert.org/vuls/id/259798 CVE: CAN-2005-1175 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1175 CERT: VU#885830 http://www.kb.cert.org/vuls/id/885830 ACKNOWLEDGMENTS =============== Thanks to Daniel Wachdorf for reporting these vulnerabilities. DETAILS ======= Kerberos 5 principal names may have an arbitrary number of components. The krb5_unparse_name() function in the MIT krb5 library converts an internal representation of a Kerberos principal name into a human-readable string. The internal representation might have originated from the decoding of a Kerberos protocol message. The single-byte overflow occurs whenever the krb5_unparse_name() function is called on a principal name having zero components. The function writes a null byte to an address one beyond the end of a buffer allocated my malloc(). The corresponding krb5_parse_name() function never generates an internal representation having zero components; instead, it generates at least one zero-length component. The current string representation form of Kerberos principal names has some ambiguity between a zero-component principal name and a one-component principal name having a zero-length single component. Application servers which call krb5_unparse_name(), directly or indirectly, are vulnerable to the single-byte overflow in krb5_unparse_name(), provided that the attacker controls a realm which shares a cross-realm key with the target realm. This enables the attacker to use a cross-realm ticket for a zero-component client principal name, which the application server will then pass to krb5_unparse_name(), triggering the single-byte overflow. For this attack to succeed, the attacker needs access to a KDC in the target realm which will create a ticket for a zero-component client principal name. Since the current MIT krb5 KDC implementation will refuse to create such a ticket, the attack is unlikely to succeed unless the implementation has been altered to allow the issuance of tickets for zero-component client principal names. When the KDC fails to find the principal with a zero-component name in its database (such a principal is very unlikely to exist in most databases, as there are extremely few uses for such a principal), it attempts to encode an error packet containing the offending principal name, using prepare_error_as() or prepare_error_tgs(). This encoding attempt fails inside encode_krb5_error(), since the ASN.1 encoder function asn1_encode_principal_name() interprets the internal representation of a zero-component principal name as an error condition. encode_krb5_error() does not allocate an output buffer when it encounters an error condition. While the UDP request handling code in kdc/network.c:process_packet() does not attempt to free the output buffer containing the encoded message when it encounters an error, the TCP request handling code in process does free the buffer inside kill_tcp_connection(), which attempts to free unallocated memory pointed to by an uninitialized pointer. REVISION HISTORY ================ 2005-05-12 original release Copyright (C) 2005 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (SunOS) iQCVAwUBQtMbCabDgE/zdoE9AQFo9QP5AZMbr0YGmyzYbARTqFq+Lt+FYbfQ7XC/ c1hqTfsTkN0Mfh1I5d6dTjhXQT6kfN+EdNYfPhY+4LANB5CW9xe9BARPcW9i2ftt xSTIODrD6LdNtOCCut1ha3T5tcV5GodvXzj7dSClde29j0IJR6dBcigfvR4mAygw /U7r46obgM0= =SnqK -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- MIT krb5 Security Advisory 2005-003 Original release: 2005-07-12 Topic: double-free in krb5_recvauth Severity: CRITICAL SUMMARY ======= The krb5_recvauth() function can free previously freed memory under some error conditions. This vulnerability may allow an unauthenticated remote attacker to execute arbitrary code. Exploitation of this vulnerability on a Kerberos Key Distribution Center (KDC) host can result in compromise of an entire Kerberos realm. No exploit code is known to exist at this time. Exploitation of double-free vulnerabilities is believed to be difficult. [CAN-2005-1689, VU#623332] IMPACT ====== An unauthenticated attacker may be able to execute arbitrary code in the context of a program calling krb5_recvauth(). This includes the kpropd program which typically runs on slave Key Distribution Center (KDC) hosts, potentially leading to compromise of an entire Kerberos realm. Other vulnerable programs which call krb5_recvauth() are usually remote login programs running with root privileges. Unsuccessful attempts at exploitation may result in denial of service by crashing the target program. AFFECTED SOFTWARE ================= * The kpropd daemon in all releases of MIT krb5, up to and including krb5-1.4.1, is vulnerable. * The klogind and krshd remote-login daemons in all releases of MIT krb5, up to and including krb5-1.4.1, is vulnerable. * Third-party application programs which call krb5-recvauth() are also vulnerable. FIXES ===== * The upcoming krb5-1.4.2 release will have a fix for this vulnerability. * Apply the following patch. This patch was generated against the krb5-1.4.1 release. It may apply, with some offset, to earlier releases. The patch may also be found at: http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt.asc Index: lib/krb5/krb/recvauth.c =================================================================== RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/recvauth.c,v retrieving revision 5.38 diff -c -r5.38 recvauth.c *** lib/krb5/krb/recvauth.c 3 Sep 2002 01:13:47 -0000 5.38 - --- lib/krb5/krb/recvauth.c 23 May 2005 23:19:15 -0000 *************** *** 76,82 **** if ((retval = krb5_read_message(context, fd, &inbuf))) return(retval); if (strcmp(inbuf.data, sendauth_version)) { - - krb5_xfree(inbuf.data); problem = KRB5_SENDAUTH_BADAUTHVERS; } krb5_xfree(inbuf.data); - --- 76,81 ---- *************** *** 90,96 **** if ((retval = krb5_read_message(context, fd, &inbuf))) return(retval); if (appl_version && strcmp(inbuf.data, appl_version)) { - - krb5_xfree(inbuf.data); if (!problem) problem = KRB5_SENDAUTH_BADAPPLVERS; } - --- 89,94 ---- REFERENCES ========== This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVE: CAN-2005-1689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1689 CERT: VU#623332 http://www.kb.cert.org/vuls/id/623332 ACKNOWLEDGMENTS =============== Thanks to Magnus Hagander for reporting this vulnerability. DETAILS ======= The helper function revcauth_common() in lib/krb5/krb/recvauth.c has two locations which call krb5_read_message(), followed by an unconditional krb5_xfree() of the buffer allocated by krb5_read_message(). In the cases where the sendauth version string or the application version string do not match the expected value, recvauth_common() performs a krb5_xfree() on the buffer allocated by krb5_read_message() preceding the subsequent unconditional call to krb5_xfree() on the same buffer. Since the code paths which call krb5_xfree() twice do so with almost no intervening code, exploitation of this vulnerability may be more difficult than exploitation of other double-free vulnerabilities. No detailed analysis has been performed on the ease of exploitation. REVISION HISTORY ================ 2005-05-12 original release Copyright (C) 2005 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (SunOS) iQCVAwUBQtMbD6bDgE/zdoE9AQGmhQP+MYnmuw4+J3yIcQbS3chjZXVLHebTJJtN jM5+cMBDQfYdpuoQER1Bbaf+7Ky1BoyX2zHfANzdDAiSFRykbFqEqgvdw9jqEFmx ela1UtOhV5H80BZAzmGV+dVIqGPpWH0f4ArRe18Pbz2wZE0Vadq9VkBTJwHI23En K3a9oiHA/XM= =ZS63 -----END PGP SIGNATURE----- [***** End MIT krb5 Security Advisories SA-2005-002 and SA-2005-003 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of MIT for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-239: JRE Plug-in affects the Sun Java Desktop System for Linux P-240: ht P-241: PHP Security Update P-242: Adobe Reader Vulnerability P-243: 'ruby 1.8' Vulnerability P-244: 'arshell' Vulnerability in 'arrayd' P-245: Cisco CallManager Vulnerabilities P-246: Microsoft Word Font Parsing Vulnerability P-247: Microsoft Vulnerability in JView Profiler P-248: Microsoft Color Management Module Vulnerability