CLA-2004:860

20040913 [OpenPKG-SA-2004.039] OpenPKG Security Advisory (kerberos)

RHSA-2004:350

http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txt

DSA-543

GLSA-200409-09

VU#550464

11079

2004-0045

TA04-247A

kerberos-asn1-library-dos(17160)

oval:org.mitre.oval:def:10014

oval:org.mitre.oval:def:2139

An advisory published by the MIT Kerberos team says :

The ASN.1 decoder library in the MIT Kerberos 5 distribution is vulnerable to a denial-of-service attack causing an infinite loop in the decoder. The KDC is vulnerable to this attack.

An unauthenticated remote attacker can cause a KDC or application server to hang inside an infinite loop.

An attacker impersonating a legitimate KDC or application server may cause a client program to hang inside an infinite loop.

The remote host is missing Security Update 2004-12-02. This security update contains a number of fixes for the following programs :

  - Apache
  - Apache2
  - AppKit
  - Cyrus IMAP
  - HIToolbox
  - Kerberos
  - Postfix
  - PSNormalizer
  - QuickTime Streaming Server
  - Safari
  - Terminal

These programs contain multiple vulnerabilities that could allow a remote attacker to execute arbitrary code.

The MIT Kerberos Development Team has discovered a number of vulnerabilities in the MIT Kerberos Version 5 software. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities :

  - CAN-2004-0642 [VU#795632]     A double-free error may allow unauthenticated remote     attackers to execute arbitrary code on KDC or clients.

  - CAN-2004-0643 [VU#866472]

    Several double-free errors may allow authenticated     attackers to execute arbitrary code on Kerberos     application servers.

  - CAN-2004-0644 [VU#550464]

    A remotely exploitable denial of service vulnerability     has been found in the KDC and libraries.

  - CAN-2004-0772 [VU#350792]

    Several double-free errors may allow remote attackers to     execute arbitrary code on the server. This does not     affect the version in woody.

A double-free vulnerability exists in the MIT Kerberos 5's KDC program that could potentially allow a remote attacker to execute arbitrary code on the KDC host. As well, multiple double-free vulnerabilities exist in the krb5 library code, which makes client programs and application servers vulnerable. The MIT Kerberos 5 development team believes that exploitation of these bugs would be difficult and no known vulnerabilities are believed to exist. The vulnerability in krb524d was discovered by Marc Horowitz; the other double-free vulnerabilities were discovered by Will Fiveash and Nico Williams at Sun.

Will Fiveash and Nico Williams also found another vulnerability in the ASN.1 decoder library. This makes krb5 vulnerable to a DoS (Denial of Service) attack causing an infinite loop in the decoder. The KDC is vulnerable to this attack.

The MIT Kerberos 5 team has provided patches which have been applied to the updated software to fix these issues. Mandrakesoft encourages all users to upgrade immediately.

The remote host is affected by the vulnerability described in GLSA-200409-09 (MIT krb5: Multiple vulnerabilities)

    The implementation of the Key Distribution Center (KDC) and the MIT krb5     library contain double-free vulnerabilities, making client programs as well     as application servers vulnerable.
    The ASN.1 decoder library is vulnerable to a denial of service attack,     including the KDC.
  Impact :

    The double-free vulnerabilities could allow an attacker to execute     arbitrary code on a KDC host and hosts running krb524d or vulnerable     services. In the case of a KDC host, this can lead to a compromise of the     entire Kerberos realm. Furthermore, an attacker impersonating a legitimate     KDC or application server can potentially execute arbitrary code on     authenticating clients.
    An attacker can cause a denial of service for a KDC or application server     and clients, the latter if impersonating a legitimate KDC or application     server.
  Workaround :

    There is no known workaround at this time.

Updated Kerberos (krb5) packages that correct double-free and ASN.1 parsing bugs are now available for Red Hat Enterprise Linux.

Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other.

Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0642 and CVE-2004-0643 to these issues.

A double-free bug was also found in the krb524 server (CVE-2004-0772), however this issue was fixed for Red Hat Enterprise Linux 2.1 users by a previous erratum, RHSA-2003:052.

An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0644 to this issue.

All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues.

Updated krb5 packages that improve client responsiveness and fix several security issues are now available for Red Hat Enterprise Linux 3.

Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other.

Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0642 and CVE-2004-0643 to these issues.

A double-free bug was also found in the krb524 server (CVE-2004-0772), however this issue does not affect Red Hat Enterprise Linux 3 Kerberos packages.

An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0644 to this issue.

When attempting to contact a KDC, the Kerberos libraries will iterate through the list of configured servers, attempting to contact each in turn. If one of the servers becomes unresponsive, the client will time out and contact the next configured server. When the library attempts to contact the next KDC, the entire process is repeated. For applications which must contact a KDC several times, the accumulated time spent waiting can become significant.

This update modifies the libraries, notes which server for a given realm last responded to a request, and attempts to contact that server first before contacting any of the other configured servers.

All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues.

The following package needs to be updated: krb5

The remote host is running Kerberos 5.

There are multiple flaws that affect this product. Make sure you are running the latest version with the latest patches.

Note that Nessus could not check for any of the flaws and solely relied on the presence of the service to issue an alert, so this might be a false positive.

ID	Name	Product	Family	Severity
36731	FreeBSD : krb5 -- ASN.1 decoder denial-of-service vulnerability (bd60922b-fb8d-11d8-a13e-000a95bc6fae)	Nessus	FreeBSD Local Security Checks	medium
15898	Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)	Nessus	MacOS X Local Security Checks	high
15380	Debian DSA-543-1 : krb5 - several vulnerabilities	Nessus	Debian Local Security Checks	high
14673	Mandrake Linux Security Advisory : krb5 (MDKSA-2004:088)	Nessus	Mandriva Local Security Checks	high
14666	GLSA-200409-09 : MIT krb5: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
14596	RHEL 2.1 : krb5 (RHSA-2004:448)	Nessus	Red Hat Local Security Checks	high
14595	RHEL 3 : krb5 (RHSA-2004:350)	Nessus	Red Hat Local Security Checks	high
14594	FreeBSD : krb5 -- ASN.1 decoder denial-of-service vulnerability (86)	Nessus	FreeBSD Local Security Checks	medium
11512	Kerberos 5 < 1.3.5 Multiple Vulnerabilities	Nessus	Misc.	high

CVE-2004-0644

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

medium

high

high

high

high

high

high

medium

high