Bug 163833 - CAN-2005-1689, -117[45] MIT Kerberos Multiple Vulnerabilities
CAN-2005-1689, -117[45] MIT Kerberos Multiple Vulnerabilities
Status: CLOSED WONTFIX
Product: Fedora Legacy
Classification: Retired
Component: krb5 (Show other bugs)
rhl7.3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://www.securityfocus.com/bid/14239
:
Depends On:
Blocks: 163805
  Show dependency treegraph
 
Reported: 2005-07-21 10:35 EDT by John Dalbec
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-30 15:57:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Dalbec 2005-07-21 10:35:55 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20050519 Netscape/8.0.1

Description of problem:
(9) MODERATE: MIT Kerberos Multiple Vulnerabilities
Affected:
MIT Kerberos releases krb5-1.4.1 and prior
kpropd daemon in releases krb5-1.4.1 and prior
klogind and krshd daemons in releases krb5-1.4.1 and prior
Any programs that invoke the krb5_recvauth function

Description:  Kerberos, a network protocol created at MIT, is used to
provide strong authentication for client/server applications. The MIT
Kerberos implementation is widely used by many network vendors and
Linux/Unix flavors.

(a) The krb5_recvauth function, which processes an authentication
message stream, contains a double-free vulnerability i.e. under certain
conditions, the function frees the same memory twice. This can be
potentially exploited by an unauthenticated attacker to execute
arbitrary code with the privileges of the program invoking the
krb5_recvauth function. The main program that uses the vulnerable
function is kpropd (Kerberos Propagation Daemon). This program runs on
the slave Kerberos Key Distribution Centers (KDC) and receives updates
from the Master KDC. Compromising kpropd may result in compromising the
entire organization ("Kerberos realm"). Other programs that are known
to use the vulnerable function are: klogind and krshd, the kerberized
versions of rlogin and rsh. Note that the double free memory bugs are
generally harder to leverage to execute arbitrary code, and the exploit
code tends to be platform dependent (as opposed to be universal). Hence,
a widespread exploitation of this flaw is less probable.

(b) The KDC authenticates a client, and provides the client with
"tickets" that can be used to access other kerberized services. The KDC
contains heap corruption and single byte heap overflow vulnerabilities
that may be exploited by an unauthenticated attacker to possibly execute
arbitrary code on the KDC server or to cause a denial-of service to the
KDC server. The KDC server compromise can also result in compromising
the entire organization ("Kerberos realm"). An attacker controlled KDC
server can be further used to compromise the Kerberos clients.  Exploit
code is not currently available. The technical details required to
leverage these flaws can be obtained by examining the patch files.

Status: MIT Kerberos krb5-1.4.2 will fix these vulnerabilities. Third
party programs can be re-compiled with the patches provided in the
advisories. A workaround for the krb5_recvauth overflow is to block the
ports used by kpropd, klogind and krshd at the network perimeter which
are 754/tcp, 543/tcp and 544/tcp respectively.

Council Site Actions: Three of the reporting council sites responded to
this item.  Two of these sites have already patched their systems. One
site is still evaluating their risk/exposure level and will patch if
necessary. They said they block kpropd, klogind and krshd at their
security perimeters.

References:
MIT Advisories
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-003-recvauth.txt 
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-002-kdc.txt  
CERT Advisories
http://www.kb.cert.org/vuls/id/623332  
http://www.kb.cert.org/vuls/id/259798 
http://www.kb.cert.org/vuls/id/885830  
krb5_recvauth Function Reference
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/index.htm?info/apis/krb5_recvauth.htm 
Kerberos RFC
ftp://ftp.isi.edu/in-notes/rfc1510.txt  
SecurityFocus BID
http://www.securityfocus.com/bid/14239 

05.28.19 CVE: CAN-2005-1689
Platform: Cross Platform
Title: Kerberos 5 KRB5_Recvauth Remote Pre-Authentication Double-Free
Description: MIT Kerberos is a network authentication protocol. It is
prone to a remote double-free issue that exists in the
"revcauth_common()" helper function. The issue manifests when the
"sendauth" version and "application" version strings that are received
from a remote source are checked. MIT Kerberos versions 5.0 -1.4.1 and
earlier are affected.
Ref: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-003-recvauth.txt 

05.28.20 CVE: CAN-2005-1175
Platform: Cross Platform
Title: MIT Kerberos 5 Key Distribution Center Remote Heap Overflow
Description: MIT Kerberos 5 Key Distribution Center (KDC)
implementation is affected by a remote single-byte heap overflow
vulnerability due to insufficient boundary checks performed by the
software before copying user-supplied data into sensitive process
buffers. An attacker could leverage this issue to cause a denial of
service condition or execute arbitrary code. MIT Kerberos 5 versions
krb5-1.4.1 and earlier are vulnerable.
Ref: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-002-kdc.txt 

05.28.21 CVE: CAN-2005-1174
Platform: Cross Platform
Title: MIT Kerberos 5 Key Distribution Center Remote Denial of Service
Description: Kerberos is a network authentication protocol. KDC is
reported to be vulnerable to a denial of service issue due. The issue
arises when the application handles a principle name consisting of
zero components. All MIT Kerberos 5 releases up to and including
krb5-1.4.1 are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/14240 

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try


Additional info:
Comment 1 Jesse Keating 2007-08-30 15:57:18 EDT
Fedora Legacy project has ended.  These will not be fixed by Fedora Legacy.

Note You need to log in before you can comment on or make changes to this bug.