|
COMMAND kerberos SYSTEMS AFFECTED KRB4 KDC PROBLEM Tom Yu found following. A buffer overrun capable of creating a denial of service exists in implementations of Kerberos 4 KDC programs. This is IN ADDITION to the krb_rd_req() vulnerability that was previously announced. Many Kerberos 4 KDC implementations derived from MIT sources are believed to be vulnerable. Another denial of service vulnerability exists in the krb5-1.1.x KDC implementations (and krb5-1.2-beta1, but not krb5-1.0.x) that can cause the Kerberos 4 compatibility code to perform a double-free, possibly resulting in a crash of the KDC process. A remote user may be able to cause the KDC to issue bogus tickets, or to return an error of the form "principal unknown" for all principals, necessitating a restart of the KDC to resume proper operation. A remote user may also be able to cause a krb5-1.1.x KDC to experience a segmentation violation or malloc pool corruption, causing the KDC process to crash. A static buffer can be overrun by corrupt requests sent to a KDC process. It is believed that this overrun does not lead to a root compromise, but it can lead to a denial of service by corrupting long-term state in the KDC process. The krb5-1.1.x KDC contains in its Kerberos 4 compatibility mode some code which tickles a memory management bug in the library. This can result in a double-free of memory and corruption of the malloc pool, possibly leading to a crash of the KDC. Whether or not a crash occurs depends on the idiosyncrasies of the malloc implementation used. Source distributions which may contain vulnerable code include: - MIT Kerberos 5 releases krb5-1.0.x, krb5-1.1, krb5-1.1.1 - MIT Kerberos 4 patch 10, and probably earlier releases as well - KerbNet (Cygnus implementation of Kerberos 5) - Cygnus Network Security (CNS -- Cygnus implementation of Kerberos 4) - KTH-krb4 before version 0.10 Source distributions that are believed not to be vulnerable include: - KTH-krb4 -- version 0.10 and above - Heimdal (KTH implementation of Kerberos 5) -- any version SOLUTION The best course of action is to patch your KDC. If you have not done so already, install the patches to deal with the krb_rd_req() vulnerability that was previously announced. Patches and the original announcement may be found at: http://web.mit.edu/kerberos/www/advisories/index.html MIT will release krb5-1.2, which will have these changes incorporated. The krb5-1.2-beta1 release does not have this fix, though the upcoming krb5-1.2-beta2 release, tentatively scheduled for the week of June 5, will. The two recent beta patch releases, krb5-1.0.7-beta2 and krb5-1.1.2-beta1, which were intended to fix the krb4 buffer overrun problems, have not been patched for this problem yet. For FreeBSD upgrade your vulnerable FreeBSD 3.x system to a version of FreeBSD dated after the correction date (FreeBSD 3.5-STABLE dated after the correction date, 4.0-RELEASE or 4.0-STABLE). Correction date is 2000-07-12. Be sure to install the Kerberos code when performing an upgrade (whether by source or by a binary upgrade) to ensure that the old binaries are no longer present on the system.