From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20050519 Netscape/8.0.1 Description of problem: (9) MODERATE: MIT Kerberos Multiple Vulnerabilities Affected: MIT Kerberos releases krb5-1.4.1 and prior kpropd daemon in releases krb5-1.4.1 and prior klogind and krshd daemons in releases krb5-1.4.1 and prior Any programs that invoke the krb5_recvauth function Description: Kerberos, a network protocol created at MIT, is used to provide strong authentication for client/server applications. The MIT Kerberos implementation is widely used by many network vendors and Linux/Unix flavors. (a) The krb5_recvauth function, which processes an authentication message stream, contains a double-free vulnerability i.e. under certain conditions, the function frees the same memory twice. This can be potentially exploited by an unauthenticated attacker to execute arbitrary code with the privileges of the program invoking the krb5_recvauth function. The main program that uses the vulnerable function is kpropd (Kerberos Propagation Daemon). This program runs on the slave Kerberos Key Distribution Centers (KDC) and receives updates from the Master KDC. Compromising kpropd may result in compromising the entire organization ("Kerberos realm"). Other programs that are known to use the vulnerable function are: klogind and krshd, the kerberized versions of rlogin and rsh. Note that the double free memory bugs are generally harder to leverage to execute arbitrary code, and the exploit code tends to be platform dependent (as opposed to be universal). Hence, a widespread exploitation of this flaw is less probable. (b) The KDC authenticates a client, and provides the client with "tickets" that can be used to access other kerberized services. The KDC contains heap corruption and single byte heap overflow vulnerabilities that may be exploited by an unauthenticated attacker to possibly execute arbitrary code on the KDC server or to cause a denial-of service to the KDC server. The KDC server compromise can also result in compromising the entire organization ("Kerberos realm"). An attacker controlled KDC server can be further used to compromise the Kerberos clients. Exploit code is not currently available. The technical details required to leverage these flaws can be obtained by examining the patch files. Status: MIT Kerberos krb5-1.4.2 will fix these vulnerabilities. Third party programs can be re-compiled with the patches provided in the advisories. A workaround for the krb5_recvauth overflow is to block the ports used by kpropd, klogind and krshd at the network perimeter which are 754/tcp, 543/tcp and 544/tcp respectively. Council Site Actions: Three of the reporting council sites responded to this item. Two of these sites have already patched their systems. One site is still evaluating their risk/exposure level and will patch if necessary. They said they block kpropd, klogind and krshd at their security perimeters. References: MIT Advisories http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-003-recvauth.txt http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-002-kdc.txt CERT Advisories http://www.kb.cert.org/vuls/id/623332 http://www.kb.cert.org/vuls/id/259798 http://www.kb.cert.org/vuls/id/885830 krb5_recvauth Function Reference http://publib.boulder.ibm.com/iseries/v5r2/ic2924/index.htm?info/apis/krb5_recvauth.htm Kerberos RFC ftp://ftp.isi.edu/in-notes/rfc1510.txt SecurityFocus BID http://www.securityfocus.com/bid/14239 05.28.19 CVE: CAN-2005-1689 Platform: Cross Platform Title: Kerberos 5 KRB5_Recvauth Remote Pre-Authentication Double-Free Description: MIT Kerberos is a network authentication protocol. It is prone to a remote double-free issue that exists in the "revcauth_common()" helper function. The issue manifests when the "sendauth" version and "application" version strings that are received from a remote source are checked. MIT Kerberos versions 5.0 -1.4.1 and earlier are affected. Ref: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-003-recvauth.txt 05.28.20 CVE: CAN-2005-1175 Platform: Cross Platform Title: MIT Kerberos 5 Key Distribution Center Remote Heap Overflow Description: MIT Kerberos 5 Key Distribution Center (KDC) implementation is affected by a remote single-byte heap overflow vulnerability due to insufficient boundary checks performed by the software before copying user-supplied data into sensitive process buffers. An attacker could leverage this issue to cause a denial of service condition or execute arbitrary code. MIT Kerberos 5 versions krb5-1.4.1 and earlier are vulnerable. Ref: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-002-kdc.txt 05.28.21 CVE: CAN-2005-1174 Platform: Cross Platform Title: MIT Kerberos 5 Key Distribution Center Remote Denial of Service Description: Kerberos is a network authentication protocol. KDC is reported to be vulnerable to a denial of service issue due. The issue arises when the application handles a principle name consisting of zero components. All MIT Kerberos 5 releases up to and including krb5-1.4.1 are reported to be vulnerable. Ref: http://www.securityfocus.com/bid/14240 Version-Release number of selected component (if applicable): How reproducible: Didn't try Additional info:
Fedora Legacy project has ended. These will not be fixed by Fedora Legacy.