Bug 62417

Description Matthias Geerdsen (RETIRED) 2004-08-31 12:47:10 UTC

Find following the beginning of the two advisories published today, a Debian security announcement has been made too. Patches are available in the original advisories.

1) http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txt

                MIT krb5 Security Advisory 2004-003

Original release: 2004-08-31

Topic: ASN.1 decoder denial of service

Severity: serious

SUMMARY
=======

The ASN.1 decoder library in the MIT Kerberos 5 distribution is
vulnerable to a denial-of-service attack causing an infinite loop in
the decoder.  The KDC is vulnerable to this attack.

IMPACT
======

* An unauthenticated remote attacker can cause a KDC or application
  server to hang inside an infinite loop.  [CAN-2004-0644]

* An attacker impersonating a legitimate KDC or application server may
  cause a client program to hang inside an infinite
  loop.  [CAN-2004-0644]

AFFECTED SOFTWARE
=================

* KDC software and applications from MIT Kerberos 5 releases
  krb5-1.2.2 through krb5-1.3.4.

* Applications using the MIT krb5 libraries from the above releases.

FIXES
=====

* The upcoming krb5-1.3.5 release will contain fixes for these
  problems.

* Apply the appropriate patch referenced below, and rebuild the software.

Patches available:

* Patch against krb5-1.3.4 (should apply to earlier krb5-1.3.x releases)

* Patch against krb5-1.2.8 (should apply to releases krb5-1.2.2
  through krb5-1.2.7 as well)

[...]

2) http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt

                MIT krb5 Security Advisory 2004-002

Original release: 2004-08-31

Topic: double-free vulnerabilities in KDC and libraries

Severity: CRITICAL

SUMMARY
=======

The MIT Kerberos 5 implementation's Key Distribution Center (KDC)
program contains a double-free vulnerability that potentially allows a
remote attacker to execute arbitrary code.  Compromise of a KDC host
compromises the security of the entire authentication realm served by
the KDC.  Additionally, double-free vulnerabilities exist in MIT
Kerberos 5 library code, making client programs and application
servers vulnerable.

Exploitation of double-free bugs is believed to be difficult.  No
exploits are known to exist for these vulnerabilities.

IMPACT
======

* A unauthenticated remote attacker can potentially execute arbitrary
  code on a KDC host, compromising an entire Kerberos
  realm. [CAN-2004-0642]

* A remote attacker can potentially execute arbitrary code on a host
  running krb524d, possibly compromising an entire Kerberos realm if
  the host is a KDC host. [CAN-2004-0772]

* An authenticated attacker can also potentially execute arbitrary
  code on hosts running vulnerable services. [CAN-2004-0643]

* An attacker impersonating a legitimate KDC or application server can
  potentially execute arbitrary code on a client host while the client
  is authenticating. [CAN-2004-0642]

AFFECTED SOFTWARE
=================

* KDC software from all releases of MIT Kerberos 5 up to and including
  krb5-1.3.4. [CAN-2004-0642]

* The krb524d program from krb5-1.2.8 and later.  The krb524d present
  in earlier releases is vulnerable if it has been patched to disable
  krb4 cross-realm functionality. [CAN-2004-0772]

* Applications calling the krb5_rd_cred() function in releases prior
  to krb5-1.3.2.  Such applications in the MIT krb5 releases include
  the remote login daemons (krshd, klogind, and telnetd) and the FTP
  daemon. The krb5_rd_cred() function decrypts and decodes forwarded
  Kerberos credentials.  Third-party applications calling this
  function directly or indirectly (by means of the GSSAPI or other
  libraries) are vulnerable. [CAN-2004-0643]

* Client code from all releases of MIT Kerberos 5 up to and including
  krb5-1.3.4.  Third-party applications directly or indirectly calling
  client library functions may also be vulnerable. [CAN-2004-0642]

FIXES
=====

* The upcoming krb5-1.3.5 release will contain fixes for these
  problems.

* Apply the appropriate patch or patches referenced below, and rebuild
  the software.

  - If you are running krb5-1.3 through krb5-1.3.4, apply
    2004-002-patch_1.3.4.txt.

  - If you are running krb5-1.3 through krb5-1.3.1, apply
    2004-002-patch_1.3.1.txt.

  - If you are running krb5-1.2.8, apply
    2004-002-patch_1.2.8.txt.

  - Things become more complicated if you are running krb5-1.2 through
    krb5-1.2.7.  The correct set of patches to apply will depend on
    whether you have applied the patches to disable krb4 cross-realm
    functionality [MITKRB5-SA-2003-004].

    + If you are running krb5-1.2.6 through krb5-1.2.7, and have
      applied the patches to disable krb4 cross-realm functionality,
      apply 2004-002-patch_1.2.8.txt.

    + If you are running krb5-1.2 through krb5-1.2.5, and have applied
      the patches to disable krb4 cross-realm functionality, apply
      2004-002-patch_1.2.7.txt, followed by
      2004-002-k524d_patch_1.2.5.txt.

    + If you are running krb5-1.2 through krb5-1.2.7, and have not
      applied the patches to disable krb4 cross-realm functionality,
      apply 2004-002-patch_1.2.7.txt.

[...]