Date: 03 February 2003
References: ESB-2003.0067
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0068 -- MIT krb5 Security Advisory 2003-001
Multiple vulnerabilities in old releases of MIT Kerberos
03 February 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: krb5
Vendor: MIT
Operating System: Linux
UNIX
Mac OS X
Windows
Impact: Access Privileged Data
Increased Privileges
Denial of Service
Access Required: Remote
Ref: ESB-2003.0067
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MIT krb5 Security Advisory 2003-001
Original Release Date: 2003-01-28
Topic: Multiple vulnerabilities in old releases of MIT Kerberos
Severity: CRITICAL: Remote user can crash KDC, and may be able to
forge non-local identities and compromise the KDC or
application servers.
SUMMARY
=======
Multiple vulnerabilities have been found in MIT Kerberos 5 releases
prior to release 1.2.5. MIT recommends updating to 1.2.7 if possible.
IMPACT
======
* A remote user can crash the KDC.
* A user authenticated in a remote realm may be able to claim to be
other non-local users to an application server.
* It may be possible for a user to gain access to the KDC system and
database.
AFFECTED SOFTWARE
=================
* All releases of MIT Kerberos 5 before 1.2.5.
* For status on other vendors, see CERT's Vulnerability Notes:
VU#587579 - MIT Kerberos V5 ASN.1 decoder fails to perform bounds
checking on data element length fields
http://www.kb.cert.org/vuls/id/587579
VU#661243 - MIT Kerberos V5 KDC vulnerable to denial-of-service via
null pointer dereference
http://www.kb.cert.org/vuls/id/661243
VU#684563 - MIT Kerberos V5 allows inter-realm user impersonation by
malicious realm controllers with shared keys
http://www.kb.cert.org/vuls/id/684563
VU#787523 - MIT Kerberos V5 KDC logging routines use unsafe format
strings
http://www.kb.cert.org/vuls/id/787523
FIX
===
MIT recommends updating to release 1.2.5 or later, preferably to the
latest release. Patches specifically to fix these problems are not
available at this time.
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/www/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/www/index.html
ACKNOWLEDGMENTS
===============
Thanks to greg pryzby, Joseph Sokol-Margolis, Gerald Britton, E. Larry
Lidz, and CERT for reporting these problems.
DETAILS
=======
Problem 1: KDC null pointer dereferences
________________________________________
Certain protocol requests, compliant with the protocol encoding scheme
but indicative of a client system most likely configured incorrectly,
can crash a KDC with a null pointer dereference. We do not believe
any exploit to gain access to the KDC or otherwise alter its behavior
is possible on systems without storage mapped at address zero. We
have not explored the effects of this on a system with mapped memory
at address zero.
The fallback and retransmit algorithm used in the MIT krb5 library
will cause an application not receiving a reply from a KDC to try
other KDCs in the same realm; it will iterate through this list a few
times, or until it gets a response. Thus, one client may take down
multiple KDCs.
We believe this vulnerability is limited to the TGS-REQ exchange, that
is, cases where the user has already authenticated to the KDC or one
with which it shares inter-realm keys. So (ignoring cases of
well-known passwords) there is an audit trail of sorts, even if it has
to be dug out of a core file, and it is not a simple, scriptable
attack against KDCs in general.
Workarounds:
- Start your KDC from inittab or a loop in a shell script. (The
inittab approach may not work well if the KDC is crashed too often
in a short span of time.)
Thanks to greg pryzby <GregPryzby@aol.com> for reporting this problem.
Problem 2: realm transit checks
_______________________________
Realms with shared keys can impersonate people in other non-local
realms in certain cases. It may be exploitable in various ways if
non-local principal names are on critical ACLs.
This vulnerability affects both the KDC and Kerberos application
servers.
This problem was fixed in the 1.2.3 release. That release also added
a flag to the KDC config file that can be set to refuse untrusted
cross-realm authentication, in case application servers cannot be
updated quickly enough. This is not recommended as a long-term
solution, because the current model we use says that the application
server is responsible for doing this validation, which allows (for
example) a service on a specific machine (perhaps one set up for
software testing) to be configured to know about authentication paths
known to the maintainer of the service, even if the maintainer of the
KDC does not trust these paths for general use within the realm.
Enforcing this limitation in the KDC takes this option away from the
maintainers of individual machines.
Workarounds:
- Delete or change inter-realm keys so inter-realm authentication is
disabled.
- Remove all non-local principals from all critical ACLs in services
using old MIT Kerberos code to validate the realm transit path
Thanks to Joseph Sokol-Margolis <seph@mit.edu> and Gerald Britton
<gbritton@alum.mit.edu> for finding this problem.
Problem 3: format strings
_________________________
Older versions of the MIT KDC used strings containing Kerberos
principal names as printf-style format strings in logging routines.
At least some cases do not require successful authentication, so this
can be used as a remote, anonymous attack.
It is easy to crash the KDC with this exploit. We do not know of any
exploits to gain access to the host system, but we do not rule out the
possibility.
Workarounds: See under problem 1. ***However, these do not address
the host access possibility.***
Thanks to E. Larry Lidz <ellidz@eridu.uchicago.edu> for discovering
this problem.
Problem 4: bounds checking on data sizes
________________________________________
Some of our code does not do bounds checking on lengths before
allocating storage. On some systems, attempting to allocate large
negative amounts of storage can crash the program. Thus, some bogus
packets may crash the KDC or an application server using Kerberos. We
do not believe this can be exploited to gain access to the host
system.
Workarounds:
- start KDC in a loop in a script, or from inittab
- do likewise for any server processes that need to handle multiple
client connections
Thanks to CERT for bringing this to our attention.
REVISION HISTORY
================
2003-01-28 original release
2003-01-31 added CERT URLs
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE+OuV+UqOaDMQ+e5gRAqS8AKC/enXaFxHPudRflOTYSsgjExQ2WQCffBGU
Gc9n8oERD1uxexyDhKa8LWE=
=jEAe
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPj5z7ih9+71yA2DNAQFxiQP8CTq6Uy3s+5xU/IONy1HhGiRRLu7GJLGh
D11OcJeRWVqMot0upPM3fGaPf9w16A05JhxdL2oyZKXdUpE1WYfrgUSlPh0Vpuom
Elm1/0eK+A+RDo3kCpgqgcf1vr9pejUTnA7A+F0AgdpIebp3VaZrYmvQoPim9sMS
fT+YdhJIQoU=
=b6Em
-----END PGP SIGNATURE-----
|