|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CERT Advisory CA-2000-11 MIT Kerberos Vulnerable to Denial-of-Service
Attacks
Original release date: June 9, 2000
Last revised: --
Source: The MIT Kerberos Team, CERT/CC
A complete revision history is at the end of this file.
Systems Affected
* Systems with MIT-derived implementations of the Kerberos 4 KDC
* Systems with MIT-derived implementations of the Kerberos 5 KDC
enabled to handle krb4 ticket requests
Overview
The CERT Coordination Center has recently been notified of several
potential buffer overflow vulnerabilities in the Kerberos
authentication software. The most severe vulnerability allows remote
intruders to disrupt normal operations of the Key Distribution Center
(KDC) if an attacker is able to send malformed requests to a realm's
key server.
MIT reports that the following versions are vulnerable to one or more
of these vulnerabilities:
* MIT Kerberos 5 releases krb5-1.0.x, krb5-1.1, krb5-1.1.1
* MIT Kerberos 4 patch 10, and probably earlier releases as well
* KerbNet (Cygnus implementation of Kerberos 5)
* Cygnus Network Security (CNS -- Cygnus implementation of Kerberos
4)
Other versions may be affected as well.
The vulnerabilities discussed in this advisory are different than the
ones discussed in CA-2000-06, Multiple Buffer Overflows in Kerberos
Authenticated Services. The primary difference is in the impact: the
new vulnerabilities do not appear to allow remote execution of
arbitrary code since the buffers being overrun are statically
declared. In addition, only Kerberos 4 and Kerberos 5 KDC servers that
can service version 4 ticket requests are affected by the buffer
overflows discussed here.
I. Description
There are at least five distinct vulnerabilities in various versions
and implementations of the Kerberos software. All of these
vulnerabilities may be exploited to effect denial-of-service attacks
with varying degrees of severity. These vulnerabilities include
* The buffer used to hold the variable lastrealm in the function
set_tgtkey() can be owerflowed.
* The buffer used to hold the variable localrealm in the function
process_v4() can be overflowed.
* The buffer to hold the variable e_msg in the function
kerb_err_reply() can be overflowed.
* The code that services AUTH_MSG_KDC_REQUESTs does not properly check
for null-termination.
* Memory that has previously been freed may be improperly freed again,
possibly resulting in unstable operation.
The MIT Kerberos Team Advisory
The MIT Kerberos Team described these vulnerabilities in more detail
in an advisory they recently issued. This advisory is available at
http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt
II. Impact
Depending on the version of kerberos, the environment in which its
running, and the particular vulnerability that is exploited, a remote
attacker can cause one or more of the following:
* The KDC to issue invalid tickets for all principles,
* The KDC to generate a "principal unknown" error, or
* The KDC process to crash.
Any new authentications to kerberized services will not be possible
until the KDC is restarted. Note that this implies that operation of
"kerberized" services will be halted until the KDC is stopped.
It does not appear that any of these vulnerabilities allows the
execution of code by an intruder.
Additional detail can be found in the MIT advisory.
III. Solution
Apply a patch from your vendor
Appendix A contains information provided by vendors for this advisory.
We will update the appendix as we receive more information. If you do
not see your vendor's name, the CERT/CC did not hear from that vendor.
Please contact your vendor directly.
Apply the MIT patches
If you are running a Kerberos distribution from MIT and can rebuild
your binaries from source, you can apply the source code patches from
MIT to correct these problems. These patches are available in the MIT
Advisory.
If you are running other MIT-derived implementations, you need to
apply the appropriate vendor patches and recompile the KDC server
software.
Disable Kerberos version 4 authentication in Kerberos version 5 if possible
As suggested by MIT, krb4 authentication in some daemons can be
disabled at run time by supplying command-line options to the KDC
server. Optionally, the krb5 distribution may be compiled with the
option '--without-krb4' to disable all krb4 ticket handling by
default.
Upgrade to MIT Kerberos 5 version 1.2
The vulnerabilities described in this advisory will be addressed in
Kerberos 5 version 1.2. This version will be available from the MIT
Kerberos web site:
http://web.mit.edu/kerberos/www/
Appendix A. Vendor Information
MIT Kerberos
The MIT Kerberos Team advisory on this topic is available from:
http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt
BSDI
BSDI is working on a patch for this problem and will announce it via
our normal channels as soon as it is available.
NetBSD
Versions of kerberos which have been integrated into released versions
of NetBSD and distributed as part of the optional, not-for-export
"secr" sets are vulnerable to some of the problems cited in the
advisory. Integration of the fixes is in progress and will be
announced in a NetBSD security advisory when complete.
University of Washington
[...] we don't distribute client or server binaries with MIT Kerberos
support.
We distribute source that allows building on UNIX and PC with MIT
Kerberos. A site which wants to use Kerberos must build our software
(e.g. Pine, imapd, ipop[23]d) locally in order to use MIT Kerberos.
I did not see anything in this alert that specifically indicates a
problem for [our] clients or servers. As with all other software built
with MIT Kerberos, it would be prudent for a site that uses our
software with MIT Kerberos to rebuild it with the patched version of
MIT Kerberos.
_________________________________________________________________
The CERT Coordination Center thanks Tom Yu and the MIT Kerberos Team
for notifying us about these problem and their help in developing this
advisory.
_________________________________________________________________
Jeff Havrilla was the primary author of the CERT/CC portions of this
document.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2000-11.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2000 Carnegie Mellon University, portions copyright MIT
University.
Revision History
June 9, 2000: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA+AwUBOUFiJVr9kb5qlZHQEQIUIQCXTUeGxhNzkNyK68SlBGfFBcKvRQCfV0SD
tkaHNO/JcqwISZps0WN6QGE=
=3mms
-----END PGP SIGNATURE-----
|
