Severity: CRITICAL SUMMARY ======= The krb5_recvauth() function can free previously freed memory under some error conditions. This vulnerability may allow an unauthenticated remote attacker to execute arbitrary code. Exploitation of this vulnerability on a Kerberos Key Distribution Center (KDC) host can result in compromise of an entire Kerberos realm. No exploit code is known to exist at this time. Exploitation of double-free vulnerabilities is believed to be difficult. [CAN-2005-1689] IMPACT ====== An unauthenticated attacker may be able to execute arbitrary code in the context of a program calling krb5_recvauth(). This includes the kpropd program which typically runs on slave Key Distribution Center (KDC) hosts, potentially leading to compromise of an entire Kerberos realm. Other vulnerable programs which call krb5_recvauth() are usually remote login programs running with root privileges. Unsuccessful attempts at exploitation may result in denial of service by crashing the target program. AFFECTED SOFTWARE ================= * The kpropd daemon in all releases of MIT krb5, up to and including krb5-1.4.1, is vulnerable. * The klogind and krshd remote-login daemons in all releases of MIT krb5, up to and including krb5-1.4.1, is vulnerable. * Third-party application programs which call krb5-recvauth() are also vulnerable. FIXES ===== * Apply the following patch. This patch was generated against the krb5-1.4.1 release. It may apply, with some offset, to earlier releases. The patch may also be found at: http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt.asc Index: lib/krb5/krb/recvauth.c =================================================================== RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/recvauth.c,v retrieving revision 5.38 diff -c -r5.38 recvauth.c *** lib/krb5/krb/recvauth.c 3 Sep 2002 01:13:47 -0000 5.38 --- lib/krb5/krb/recvauth.c 23 May 2005 23:19:15 -0000 *************** *** 76,82 **** if ((retval = krb5_read_message(context, fd, &inbuf))) return(retval); if (strcmp(inbuf.data, sendauth_version)) { - krb5_xfree(inbuf.data); problem = KRB5_SENDAUTH_BADAUTHVERS; } krb5_xfree(inbuf.data); --- 76,81 ---- *************** *** 90,96 **** if ((retval = krb5_read_message(context, fd, &inbuf))) return(retval); if (appl_version && strcmp(inbuf.data, appl_version)) { - krb5_xfree(inbuf.data); if (!problem) problem = KRB5_SENDAUTH_BADAPPLVERS; } --- 89,94 ----
This issue probably also affects RHEL2.1 and RHEL3
Nalin, If you feel this issue isn't worthy of a critical severity rating, let me know. My limited knowledge of krb5 leads me to believe this is a very serious issue.
Public at http://web.mit.edu/kerberos/www/advisories/ - removing embargo
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-562.html