MITKRB5-SA-2010-007 MIT krb5 Security Advisory 2010-007 Original release: 2010-11-30 Last update: 2010-11-30 Topic: Multiple checksum handling vulnerabilities CVE-2010-1324 * krb5 GSS-API applications may accept unkeyed checksums * krb5 application services may accept unkeyed PAC checksums * krb5 KDC may accept low-entropy KrbFastArmoredReq checksums CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:C/A:N/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.1 Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Complete Availability Impact: None CVSSv2 Temporal Score: 5.6 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed CVE-2010-1323 * krb5 clients may accept unkeyed SAM-2 challenge checksums * krb5 may accept KRB-SAFE checksums with low-entropy derived keys CVSSv2 Vector: AV:N/AC:H/Au:N/C:N/I:C/A:N/E:POC/RL:OF/RC:C CVSSv2 Base Score: 5.4 CVSSv2 Temporal Score: 4.2 CVE-2010-4020 * krb5 may accept authdata checksums with low-entropy derived keys CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C CVSSv2 Base Score: 3.5 CVSSv2 Temporal Score: 2.7 CVE-2010-4021 * krb5 KDC may issue unrequested tickets due to KrbFastReq forgery CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C CVSSv2 Base Score: 2.1 CVSSv2 Temporal Score: 1.6 See DETAILS for the expanded CVSSv2 metrics for CVE-2010-1323, CVE-2010-4020, and CVE-2010-4021. SUMMARY ======= These vulnerabilities are in the MIT implementation of Kerberos (krb5), but because these vulnerabilities arise from flaws in protocol handling logic, other implementations may also be vulnerable. CVE-2010-1324 MIT krb5 (releases krb-1.7 and newer) incorrectly accepts an unkeyed checksum with DES session keys for version 2 (RFC 4121) of the GSS-API krb5 mechanism. MIT krb5 (releases krb5-1.7 and newer) incorrectly accepts an unkeyed checksum for PAC signatures. Running exclusively krb5-1.8 or newer KDCs blocks the attack. MIT krb5 KDC (releases krb5-1.7 and newer) incorrectly accepts RFC 3961 key-derivation checksums using RC4 keys when verifying the req-checksum in a KrbFastArmoredReq. CVE-2010-1323 MIT krb5 clients (releases krb5-1.3 and newer) incorrectly accept an unkeyed checksums in the SAM-2 preauthentication challenge. MIT krb5 (releases krb5-1.3 and newer) incorrectly accepts RFC 3961 key-derivation checksums using RC4 keys when verifying KRB-SAFE messages. CVE-2010-4020 MIT krb5 (releases krb5-1.8 and newer) incorrectly accepts RFC 3961 key-derivation checksums using RC4 keys when verifying AD-SIGNEDPATH and AD-KDC-ISSUED authorization data. CVE-2010-4021 MIT krb5 KDC (release krb5-1.7 only) may issue tickets not requested by a client, based on an attacker-chosen KrbFastArmoredReq. IMPACT ====== CVE-2010-1324 An unauthenticated remote attacker can forge GSS tokens that are intended to be integrity-protected but unencrypted, if the targeted pre-existing application session uses a DES session key. An authenticated remote attacker can forge PACs if using a KDC that does not filter client-provided PAC data. This can result in privilege escalation against a service that relies on PAC contents to make authorization decisions. An unauthenticated remote attacker has a 1/256 chance of swapping a client-issued KrbFastReq into a different KDC-REQ, if the armor key is RC4. The consequences are believed to be minor. CVE-2010-1323 An unauthenticated remote attacker could alter a SAM-2 challenge, affecting the prompt text seen by the user or the kind of response sent to the KDC. Under some circumstances, this can negate the incremental security benefit of using a single-use authentication mechanism token. An unauthenticated remote attacker has a 1/256 chance of forging KRB-SAFE messages in an application protocol if the targeted pre-existing session uses an RC4 session key. Few application protocols use KRB-SAFE messages. CVE-2010-4020 An authenticated remote attacker that controls a legitimate service principal has a 1/256 chance of forging the AD-SIGNEDPATH signature if the TGT key is RC4, allowing it to use self-generated "evidence" tickets for S4U2Proxy, instead of tickets obtained from the user or with S4U2Self. Configurations using RC4 for the TGT key are believed to be rare. An authenticated remote attacker has a 1/256 chance of forging AD-KDC-ISSUED signatures on authdata elements in tickets having an RC4 service key, resulting in privilege escalation against a service that relies on these signatures. There are no known uses of the KDC-ISSUED authdata container at this time. CVE-2010-4021 An authenticated remote attacker that controls a legitimate service principal could obtain a valid service ticket to itself containing valid KDC-generated authorization data for a client whose TGS-REQ it has intercepted. The attacker could then use this ticket for S4U2Proxy to impersonate the targeted client even if the client never authenticated to the subverted service. The vulnerable configuration is believed to be rare. AFFECTED SOFTWARE ================= CVE-2010-1324 Kerberos application client and server software (including third-party applications) using GSS-API libraries from MIT releases krb5-1.7 and newer are vulnerable to the DES GSS-API issue if they use GSS-API for integrity protection of unencrypted messages. Kerberos application server software (including third-party applications) using libraries from MIT releases krb5-1.7 and newer are vulnerable to the PAC issue. Deployments running exclusively KDCs from releases krb5-1.8 and newer are not vulnerable to the PAC issue because those KDCs discard client-provided PAC authdata. The MIT krb5 KDC in releases krb5-1.7 and newer is vulnerable to the KrbFastReq swapping issue. CVE-2010-1323 Initial credential acquisition clients (including kinit) in MIT releases krb5-1.3 and newer are vulnerable to the SAM-2 issue. Third-party applications that obtain initial Kerberos credentials using libraries from these releases are also vulnerable. Kerberos application client and server software (including third-party applications) using libraries from MIT releases krb5 krb5-1.3 and newer are vulnerable to the RC4 KRB-SAFE issue. CVE-2010-4020 The AD-SIGNEDPATH issue affects the KDC in releases krb5-1.8 and newer. Kerberos application server software (including third-party applications) using libraries from MIT releases krb5-1.8 and newer are vulnerable to the AD-KDC-ISSUED problem. Deployments running exclusively KDCs from releases krb5-1.8 and newer discard client-provided AD-KDC-ISSUED authdata and are not vulnerable to this issue. CVE-2010-4021 The KDC from release krb5-1.7 only is vulnerable to the KrbFastReq forgery issue. FIXES ===== * Upcoming releases in the krb5-1.8 and krb5-1.7 series will contain fixes for these issues. * The patches for this advisory do not cover CVE-2010-4021, which is a minor issue already corrected in krb5-1.7.1. A patch for the krb5-1.8 series is available at http://web.mit.edu/kerberos/advisories/2010-007-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2010-007-patch.txt.asc A patch for the krb5-1.7 series is available at http://web.mit.edu/kerberos/advisories/2010-007-patch-r17.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2010-007-patch-r17.txt.asc A patch for the krb5-1.6 series is available at http://web.mit.edu/kerberos/advisories/2010-007-patch-r16.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2010-007-patch-r16.txt.asc A patch for the krb5-1.5 series is available at http://web.mit.edu/kerberos/advisories/2010-007-patch-r15.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2010-007-patch-r15.txt.asc Reproducible: Always
*mit-krb5-1.8.3-r2 (01 Dec 2010) 01 Dec 2010; Eray Aslan <eras@gentoo.org> +mit-krb5-1.8.3-r2.ebuild, +files/CVE-2010-1323.1324.4020.patch, +files/mit-krb5_testsuite.patch: Security bump. Working test suite with test USE flag.
Thank you, Eray. Arches, please test and mark stable: =app-crypt/mit-krb5-1.8.3-r2 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
amd64 ok
amd64 done. Thanks Agostino
x86 stable
Stable for HPPA.
Stable for PPC.
alpha/arm/ia64/m68k/s390/sh/sparc stable
ppc64 done
Thanks, folks. GLSA Vote: Yes.
Added to pending GLSA request.
CVE-2010-4021 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4021): The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 does not properly restrict the use of TGT credentials for armoring TGS requests, which might allow remote authenticated users to impersonate a client by rewriting an inner request, aka a "KrbFastReq forgery issue." CVE-2010-4020 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4020): MIT Kerberos 5 (aka krb5) 1.8.x through 1.8.3 does not reject RC4 key-derivation checksums, which might allow remote authenticated users to forge a (1) AD-SIGNEDPATH or (2) AD-KDC-ISSUED signature, and possibly gain privileges, by leveraging the small key space that results from certain one-byte stream-cipher operations. CVE-2010-1324 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1324): MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to forge GSS tokens, gain privileges, or have unspecified other impact via (1) an unkeyed checksum, (2) an unkeyed PAC checksum, or (3) a KrbFastArmoredReq checksum based on an RC4 key. CVE-2010-1323 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1323): MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x, 1.7.x, and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to modify user-visible prompt text, modify a response to a Key Distribution Center (KDC), or forge a KRB-SAFE message via certain checksums that (1) are unkeyed or (2) use RC4 keys.
This issue was resolved and addressed in GLSA 201201-13 at http://security.gentoo.org/glsa/glsa-201201-13.xml by GLSA coordinator Sean Amoss (ackle).