US-CERT Technical Cyber Security Alert TA07-093B -- MIT Kerberos Vulnerabilities

[US-CERT Technical Alerts <technical-alerts@xxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                     National Cyber Alert System

               Technical Cyber Security Alert TA07-093B


MIT Kerberos Vulnerabilities

   Original release date: April 03, 2007
   Last revised: --
   Source: US-CERT


Systems Affected

     * MIT Kerberos

   Other products based on the GSS-API or the RPC libraries provided
   with MIT Kerberos may also be affected.


Overview

   The MIT Kerberos 5 implementation contains several vulnerabilities.
   One of these vulnerabilities (VU#220816) could allow a remote,
   unauthenticated attacker to log in via telnet (23/tcp) with
   elevated privileges. The other vulnerabilities (VU#704024,
   VU#419344) could allow a remote, authenticated attacker to execute
   arbitrary code on a Key Distribution Center (KDC).


I. Description

   There are three vulnerabilities that affect MIT Kerberos 5:

   * VU#220816 - MIT Kerberos 5 telnet daemon allows login as
                 arbitrary user
   
     The telnet daemon included with the MIT Kerberos administration
     daemon contains a vulnerability that may allow a remote,
     unauthorized user to log on to the system with elevated
     privileges.
   
   * VU#704024 - MIT Kerberos 5 administration daemon stack overflow
                 in krb5_klog_syslog()
       
     The MIT Kerberos administration daemon contains a vulnerability
     in the way the krb5_klog_syslog() function handles specially
     crafted strings that may allow a remote, authenticated attacker
     to execute arbitrary code. Other server applications that call
     krb5_klog_syslog() may also be affected. This vulnerability can
     be triggered by sending a specially crafted Kerberos message to a
     vulnerable system.
     
   * VU#419344 - MIT Kerberos 5 GSS-API library double-free
                 vulnerability

     A vulnerability exists in the way that the GSS-API library
     provided with MIT krb5 handles messages with an invalid direction
     encoding, resulting in a double free which may allow a remote,
     authenticated attacker to execute arbitrary code. Other server
     applications that utilize the RPC library or the GSS-API library
     provided with MIT Kerberos may also be affected. This
     vulnerability can be triggered by sending a specially crafted
     Kerberos message to a vulnerable system.


II. Impact

   In the case of VU#220816 a remote attacker could log on to the
   system via telnet and gain elevated privileges.

   In the case of VU#704024 and VU#419344, a remote, authenticated
   attacker may be able to execute arbitrary code on KDCs, systems
   running kadmind, and application servers that use the RPC or
   GSS-API libraries. An attacker could also cause a denial of service
   on any of these systems. As a secondary impact, either one of these
   vulnerabilities could result in the compromise of both the KDC and
   an entire Kerberos realm.


III. Solution

   Check with your vendors for patches or updates. For information
   about a vendor, please see the systems affected section in the
   individual vulnerability notes or contact your vendor directly.

   Alternatively, apply the appropriate source code patches referenced
   in MITKRB5-SA-2007-001, MITKRB5-SA-2007-002, and
   MITKRB5-SA-2007-003 and recompile.

   These vulnerabilities will also be addressed in krb5-1.6.1.


IV. References

     * US-CERT Vulnerability Note VU#220816 -
       <http://www.kb.cert.org/vuls/id/220816>

     * US-CERT Vulnerability Note VU#704024 -
       <http://www.kb.cert.org/vuls/id/704024>

     * US-CERT Vulnerability Note VU#419344 -
       <http://www.kb.cert.org/vuls/id/419344>

     * MIT krb5 Security Advisory 2007-001 -
       <http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-001-telnetd.txt>

     * MIT krb5 Security Advisory 2007-002 -
       <http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-002-syslog.txt>

     * MIT krb5 Security Advisory 2007-003 -
       <http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-003.txt>


 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA07-093B.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@xxxxxxxx> with "TA07-093B Feedback VU#202816" in the
   subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2007 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________


Revision History

   April 03, 2007: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRhLoz+xOF3G+ig+rAQKUCwgArJjoYEKXFOd5SEpKJSaZGh+bRkOCe8PO
y/wKWTdHFcRBnIAsw9g5d92czxhF37nNtX7Y2UsJ5k59OGNu+t9pTea7FeSegAUA
zxmA9NcU/hnRubV1n6f7hDMefW1PT//olPOCLlqDxZuQrzza8jm1XPWtXqEFI0U6
xWODIcC2SJ3lref3rhuRyA1KHsT+WjgSwduMm7xg8cRRcoXGgMFUN1/nwBszJfvC
U+joiJlB5dsyiXtL657N4YmsGxQfcpe5nxRsMSsxwOxJxEmFHdkN29b66BMFNrfa
NDOINNgrkvaKyVKG4fCa3ie1BnNdXPpc8txzQ6b4rv+n9Ph91N+yOw==
=CH5D
-----END PGP SIGNATURE-----