CERT-In Advisory CIAD-2008-16
Multiple Vulnerabilities in MIT Kerberos
Original issue date:
March 20, 2008
Severity Rating: High
Systems Affected
• MIT Kerberos 5 version 1.6.3 KDC and prior when krb4 support is compiled in and enabled
• libgssrpc and kadmind, from krb5-1.4 through krb5-1.6.3
• libgssrpc and kadmind, in krb5-1.2.2 and probably most other versions before 1.3, on systems where <unistd.h> does not define FD_SETSIZE.
Overview
Multiple vulnerabilities have been reported in Kerberos, which could be exploited by remote attacker to disclose potentially sensitive information, cause a DoS (Denial of Service), or potentially execute a arbitrary code on the affected system.
Description
1.Double-free, uninitialized data vulnerabilities in krb5kdc
(CVE-2008-0062, CVE-2008-0063)
A double free vulnerability has been reported in KDC in Kerberos 5 krb5kdc). A global variable holding a pointer to the message to be sent back to the client is only set for two recognized krb4 message types. This could be exploited by remote attacker via specially crafted messages to be used (and freed) in additional cases resulting in denial of service or execution of arbitrary code.
The Kerberos 4 support in KDC in MIT Kerberos 5 (krb5kdc) does not properly clear the unused portion of a buffer when generating an error message. Uninitialized stack values cause re-use of a small window of previous stack values to be interpreted as message content consequently some of the "content" may be returned to the attacker as part of an error response.
By default, Kerberos 4 support is compiled in but not enabled in recent versions.
2.Vulnerabilities in RPC library server code used in the kadmin server (CVE-2008-0947,CVE-2008-0948)
A buffer overflow vulnerability has been reported in RPC library used by libgssrpc and kadmind in MIT Kerberos 5 (krb5) which could allow remote attacker to execute arbitrary code by triggering a large number of open file descriptors.
Buffer overflow in the RPC library (lib/rpc/rpc_dtablesize.c) used by libgssrpc and kadmind in MIT Kerberos 5 (krb5) 1.2.2, and probably other versions before 1.3, when running on systems whose unistd.h library does not define the FD_SETSIZE macro, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering a large number of open file descriptors.
Workaround
- Before starting kadmind, use "ulimit -n" for Bourne shell and derivatives or "limit descriptors" for C shell and derivatives, or similar resource-limiting mechanisms in the invoking process to limit the maximum open file descriptors. The chosen limit should be less than or equal to the value of the FD_SETSIZE macro typically defined in the <sys/select.h> header file.
Solution
Apply patches provided by vendor
http://web.mit.edu/kerberos/advisories/2008-001
-patch.txt
http://web.mit.edu/kerberos/www/advisories/MITKRB5
-SA-2008-002.txt
Vendor Information MIT Kerberos
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2008-001.txt
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2008-002.txt
References
US-CERT VU#895609:
http://www.kb.cert.org/vuls/id/895609
US-CERT VU#374121:
http://www.kb.cert.org/vuls/id/374121
Secunia:
http://secunia.com/advisories/28758/ CVE-Name
CVE-2008-0062
CVE-2008-0063
CVE-2008-0947
CVE-2008-0948
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
