The Kerberos 4 support in KDC in MIT Kerberos 5 (krb5kdc) does not properly clear the unused portion of a buffer when generating an error message, which might allow remote attackers to obtain sensitive information, aka "Uninitialized stack values."

From Red Hat Security Advisory 2008:0181 :

Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1 and 3.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC.

A flaw was found in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly execute arbitrary code using malformed or truncated Kerberos v4 protocol requests. (CVE-2008-0062, CVE-2008-0063)

This issue only affected krb5kdc with Kerberos v4 protocol compatibility enabled, which is the default setting on Red Hat Enterprise Linux 4. Kerberos v4 protocol support can be disabled by adding 'v4_mode=none' (without the quotes) to the '[kdcdefaults]' section of /var/kerberos/krb5kdc/kdc.conf.

A flaw was found in the RPC library used by the MIT Kerberos kadmind server. An unauthenticated remote attacker could use this flaw to crash kadmind. This issue only affected systems with certain resource limits configured and did not affect systems using default resource limits used by Red Hat Enterprise Linux 2.1 or 3. (CVE-2008-0948)

Red Hat would like to thank MIT for reporting these issues.

All krb5 users are advised to update to these erratum packages which contain backported fixes to correct these issues.

From Red Hat Security Advisory 2008:0180 :

Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC.

A flaw was found in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly execute arbitrary code using malformed or truncated Kerberos v4 protocol requests. (CVE-2008-0062, CVE-2008-0063)

This issue only affected krb5kdc with Kerberos v4 protocol compatibility enabled, which is the default setting on Red Hat Enterprise Linux 4. Kerberos v4 protocol support can be disabled by adding 'v4_mode=none' (without the quotes) to the '[kdcdefaults]' section of /var/kerberos/krb5kdc/kdc.conf.

Red Hat would like to thank MIT for reporting these issues.

A double-free flaw was discovered in the GSSAPI library used by MIT Kerberos. This flaw could possibly cause a crash of the application using the GSSAPI library. (CVE-2007-5971)

All krb5 users are advised to update to these erratum packages which contain backported fixes to correct these issues.

From Red Hat Security Advisory 2008:0164 :

Updated krb5 packages that resolve several issues and fix multiple bugs are now available for Red Hat Enterprise Linux 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC.

A flaw was found in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly execute arbitrary code using malformed or truncated Kerberos v4 protocol requests. (CVE-2008-0062, CVE-2008-0063)

This issue only affected krb5kdc with Kerberos v4 protocol compatibility enabled, which is the default setting on Red Hat Enterprise Linux 4. Kerberos v4 protocol support can be disabled by adding 'v4_mode=none' (without the quotes) to the '[kdcdefaults]' section of /var/kerberos/krb5kdc/kdc.conf.

Jeff Altman of Secure Endpoints discovered a flaw in the RPC library as used by MIT Kerberos kadmind server. An unauthenticated remote attacker could use this flaw to crash kadmind or possibly execute arbitrary code. This issue only affected systems with certain resource limits configured and did not affect systems using default resource limits used by Red Hat Enterprise Linux 5. (CVE-2008-0947)

Red Hat would like to thank MIT for reporting these issues.

Multiple memory management flaws were discovered in the GSSAPI library used by MIT Kerberos. These flaws could possibly result in use of already freed memory or an attempt to free already freed memory blocks (double-free flaw), possibly causing a crash or arbitrary code execution. (CVE-2007-5901, CVE-2007-5971)

In addition to the security issues resolved above, the following bugs were also fixed :

* delegated krb5 credentials were not properly stored when SPNEGO was the underlying mechanism during GSSAPI authentication. Consequently, applications attempting to copy delegated Kerberos 5 credentials into a credential cache received an 'Invalid credential was supplied' message rather than a copy of the delegated credentials. With this update, SPNEGO credentials can be properly searched, allowing applications to copy delegated credentials as expected.

* applications can initiate context acceptance (via gss_accept_sec_context) without passing a ret_flags value that would indicate that credentials were delegated. A delegated credential handle should have been returned in such instances. This updated package adds a temp_ret_flag that stores the credential status in the event no other ret_flags value is passed by an application calling gss_accept_sec_context.

* kpasswd did not fallback to TCP on receipt of certain errors, or when a packet was too big for UDP. This update corrects this.

* when the libkrb5 password-routine generated a set-password or change-password request, incorrect sequence numbers were generated for all requests subsequent to the first request. This caused password change requests to fail if the primary server was unavailable. This updated package corrects this by saving the sequence number value after the AP-REQ data is built and restoring this value before the request is generated.

* when a user's password expired, kinit would not prompt that user to change the password, instead simply informing the user their password had expired. This update corrects this behavior: kinit now prompts for a new password to be set when a password has expired.

All krb5 users are advised to upgrade to these updated packages, which contain backported fixes to address these vulnerabilities and fix these bugs.

Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4.5 Extended Update Support.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC.

A flaw was found in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly execute arbitrary code using malformed or truncated Kerberos v4 protocol requests. (CVE-2008-0062, CVE-2008-0063)

This issue only affected krb5kdc with Kerberos v4 protocol compatibility enabled, which is the default setting on Red Hat Enterprise Linux 4. Kerberos v4 protocol support can be disabled by adding 'v4_mode=none' (without the quotes) to the '[kdcdefaults]' section of /var/kerberos/krb5kdc/kdc.conf.

Red Hat would like to thank MIT for reporting these issues.

All krb5 users are advised to update to these erratum packages which contain backported fixes to correct these issues.

A flaw was found in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly execute arbitrary code using malformed or truncated Kerberos v4 protocol requests. (CVE-2008-0062, CVE-2008-0063)

This issue only affected krb5kdc with Kerberos v4 protocol compatibility enabled, which is the default setting on Scientific Linux 4. Kerberos v4 protocol support can be disabled by adding 'v4_mode=none' (without the quotes) to the '[kdcdefaults]' section of /var/kerberos/krb5kdc/kdc.conf.

SL 3x only: A flaw was found in the RPC library used by the MIT Kerberos kadmind server. An unauthenticated remote attacker could use this flaw to crash kadmind. This issue only affected systems with certain resource limits configured and did not affect systems using default resource limits used by Scientific Linux 3. (CVE-2008-0948)

SL 4x and 5x only: Multiple memory management flaws were discovered in the GSSAPI library used by MIT Kerberos. These flaws could possibly result in use of already freed memory or an attempt to free already freed memory blocks (double-free flaw), possibly causing a crash or arbitrary code execution. (CVE-2007-5901, CVE-2007-5971)

SL 5x only: Jeff Altman of Secure Endpoints discovered a flaw in the RPC library as used by MIT Kerberos kadmind server. An unauthenticated remote attacker could use this flaw to crash kadmind or possibly execute arbitrary code. This issue only affected systems with certain resource limits configured and did not affect systems using default resource limits used by Red Hat Enterprise Linux 5. (CVE-2008-0947)

Updated krb5 packages that resolve several issues and fix multiple bugs are now available for Red Hat Enterprise Linux 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC.

A flaw was found in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly execute arbitrary code using malformed or truncated Kerberos v4 protocol requests. (CVE-2008-0062, CVE-2008-0063)

This issue only affected krb5kdc with Kerberos v4 protocol compatibility enabled, which is the default setting on Red Hat Enterprise Linux 4. Kerberos v4 protocol support can be disabled by adding 'v4_mode=none' (without the quotes) to the '[kdcdefaults]' section of /var/kerberos/krb5kdc/kdc.conf.

Jeff Altman of Secure Endpoints discovered a flaw in the RPC library as used by MIT Kerberos kadmind server. An unauthenticated remote attacker could use this flaw to crash kadmind or possibly execute arbitrary code. This issue only affected systems with certain resource limits configured and did not affect systems using default resource limits used by Red Hat Enterprise Linux 5. (CVE-2008-0947)

Red Hat would like to thank MIT for reporting these issues.

Multiple memory management flaws were discovered in the GSSAPI library used by MIT Kerberos. These flaws could possibly result in use of already freed memory or an attempt to free already freed memory blocks (double-free flaw), possibly causing a crash or arbitrary code execution. (CVE-2007-5901, CVE-2007-5971)

In addition to the security issues resolved above, the following bugs were also fixed :

* delegated krb5 credentials were not properly stored when SPNEGO was the underlying mechanism during GSSAPI authentication. Consequently, applications attempting to copy delegated Kerberos 5 credentials into a credential cache received an 'Invalid credential was supplied' message rather than a copy of the delegated credentials. With this update, SPNEGO credentials can be properly searched, allowing applications to copy delegated credentials as expected.

* applications can initiate context acceptance (via gss_accept_sec_context) without passing a ret_flags value that would indicate that credentials were delegated. A delegated credential handle should have been returned in such instances. This updated package adds a temp_ret_flag that stores the credential status in the event no other ret_flags value is passed by an application calling gss_accept_sec_context.

* kpasswd did not fallback to TCP on receipt of certain errors, or when a packet was too big for UDP. This update corrects this.

* when the libkrb5 password-routine generated a set-password or change-password request, incorrect sequence numbers were generated for all requests subsequent to the first request. This caused password change requests to fail if the primary server was unavailable. This updated package corrects this by saving the sequence number value after the AP-REQ data is built and restoring this value before the request is generated.

* when a user's password expired, kinit would not prompt that user to change the password, instead simply informing the user their password had expired. This update corrects this behavior: kinit now prompts for a new password to be set when a password has expired.

All krb5 users are advised to upgrade to these updated packages, which contain backported fixes to address these vulnerabilities and fix these bugs.

a. VMware Tools Local Privilege Escalation on Windows-based guest OS

   The VMware Tools Package provides support required for shared folders    (HGFS) and other features.

   An input validation error is present in the Windows-based VMware    HGFS.sys driver.   Exploitation of this flaw might result in    arbitrary code execution on the guest system by an unprivileged    guest user.  It doesn't matter on what host the Windows guest OS    is running, as this is a guest driver vulnerability and not a    vulnerability on the host.

   The HGFS.sys driver is present in the guest operating system if the    VMware Tools package is loaded.  Even if the host has HGFS disabled    and has no shared folders, Windows-based guests may be affected. This    is regardless if a host supports HGFS.

   This issue could be mitigated by removing the VMware Tools package    from Windows based guests.  However this is not recommended as it    would impact usability of the product.

   NOTE: Installing the new hosted release or ESX patches will not          remediate the issue.  The VMware Tools packages will need          to be updated on each Windows-based guest followed by a          reboot of the guest system.

   VMware would like to thank iDefense and Stephen Fewer of Harmony    Security for reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2007-5671 to this issue.

b. Privilege escalation on ESX or Linux based hosted operating systems

   This update fixes a security issue related to local exploitation of    an untrusted library path vulnerability in vmware-authd. In order to    exploit this vulnerability, an attacker must have local access and    the ability to execute the set-uid vmware-authd binary on an affected    system. Exploitation of this flaw might result in arbitrary code    execution on the Linux host system by an unprivileged user.

   VMware would like to thank iDefense for reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-0967 to this issue.

c. Openwsman Invalid Content-Length Vulnerability

   Openwsman is a system management platform that implements the Web    Services Management protocol (WS-Management). It is installed and    running by default. It is used in the VMware Management Service    Console and in ESXi.

   The openwsman management service on ESX 3.5 and ESXi 3.5 is vulnerable    to a privilege escalation vulnerability, which may allow users with    non-privileged ESX or Virtual Center accounts to gain root privileges.

   To exploit this vulnerability, an attacker would need a local ESX    account or a VirtualCenter account with the Host.Cim.CimInteraction    permission.

   Systems with no local ESX accounts and no VirtualCenter accounts with    the Host.Cim.CimInteraction permission are not vulnerable.

   This vulnerability cannot be exploited by users without valid login    credentials.

   Discovery: Alexander Sotirov, VMware Security Research

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-2097 to this issue.

d. VMware VIX Application Programming Interface (API) Memory Overflow    Vulnerabilities

   The VIX API (also known as 'Vix') is an API that lets users write scripts    and programs to manipulate virtual machines.

   Multiple buffer overflow vulnerabilities are present in the VIX API.
   Exploitation of these vulnerabilities might result in a privilege    escalation on the host system. This exploit scenario is relevant for all    affected products. On VC, ESX30x, and ESX35, users need to have the VM    Interaction Privilege in order to exploit the vulnerability.

   Exploitation of these vulnerabilities might also result in code execution on    the host system from the guest system or on the service console in ESX Server    from the guest operating system. This exploit scenario is relevant for    Workstation 6.0.x (version 6.0.3 and below), Player 2.0.x (version 2.0.3 and    below), ACE 2.0.x (version 2.0.3 and below), Server 1.0.x (version 1.0.5 and    below), and ESX3.5. The parameter 'vix.inGuest.enable' in the VMware    configuration file must be set to true to allow for exploitation on these    products. Note that the parameter 'vix-inGuest.enable' is set to false by    default.

   The parameter 'vix.inGuest.enable' is present in the    following products :

     VMware Workstation 6.0.2 and higher      VMware ACE 6.0.2 and higher      VMware Server 1.06 and higher      VMware Fusion 1.1.2 and higher      ESX Server 3.0 and higher      ESX Server 3.5 and higher

   In previous versions of VMware products where the VIX API was introduced,    the VIX API couldn't be disabled.

   This vulnerability is present in ESX and the hosted products even if you    have not installed the VIX API. To patch your system you will need to    update to the new hosted product version or to apply the appropriate ESX    patch. It is not necessary to update the VIX API if you have installed    the VIX API.

   VMware would like to thank Andrew Honig of the Department of    Defense for reporting this issue.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-2100 to this issue.

II Service Console rpm updates

 NOTE: ESXi and hosted products are not affected by any service console        security updates

 a. Security update for cyrus-sasl

   Updated cyrus-sasl package for the ESX Service Console corrects a security    issue found in the DIGEST-MD5 authentication mechanism of Cyrus'    implementation of Simple Authentication and Security Layer (SASL). As a    result of this issue in the authentication mechanism, a remote    unauthenticated attacker might be able to cause a denial of service error    on the service console.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the name CVE-2006-1721 to this issue.

 b. Security update for tcltk

   An input validation flaw was discovered in Tk's GIF image handling. A    code-size value read from a GIF image was not properly validated before    being used, leading to a buffer overflow. A specially crafted GIF file    could use this to cause a crash or, potentially, execute code with the    privileges of the application using the Tk graphical toolkit.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the name CVE-2008-0553 to this issue.

   A buffer overflow flaw was discovered in Tk's animated GIF image handling.
   An animated GIF containing an initial image smaller than subsequent images    could cause a crash or, potentially, execute code with the privileges of    the application using the Tk library.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the name CVE-2007-5378 to this issue.

   A flaw first discovered in the Tcl regular expression engine used in the    PostgreSQL database server, resulted in an infinite loop when processing    certain regular expressions.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the name CVE-2007-4772 to this issue.

 c. Security update for unzip

   This patch includes a moderate security update to the service console that    fixes a flaw in unzip. An attacker could execute malicious code with a    user's privileges if the user ran unzip on a file designed to leverage    this flaw.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the name CVE-2008-0888 to this issue.

 d. Security update for krb5

   KDC in MIT Kerberos 5 (krb5kdc) does not set a global variable    for some krb4 message types, which allows remote attackers to    cause a denial of service (crash) and possibly execute arbitrary    code via crafted messages that trigger a NULL pointer dereference    or double-free.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-0062 to this issue.

   NOTE: ESX doesn't contain the krb5kdc binary and is not vulnerable          to this issue.

   The Kerberos 4 support in KDC in MIT Kerberos 5 (krb5kdc) does not    properly clear the unused portion of a buffer when generating an    error message, which might allow remote attackers to obtain    sensitive information, aka 'Uninitialized stack values.'

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-0063 to this issue.

   NOTE: ESX doesn't contain the krb5kdc binary and is not vulnerable          to this issue.

   Buffer overflow in the RPC library (lib/rpc/rpc_dtablesize.c) used    by libgssrpc and kadmind in MIT Kerberos 5 (krb5) 1.2.2, and probably    other versions before 1.3, when running on systems whose unistd.h    does not define the FD_SETSIZE macro, allows remote attackers to cause    a denial of service (crash) and possibly execute arbitrary code by    triggering a large number of open file descriptors.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-0948 to this issue.

Multiple memory management flaws were found in the GSSAPI library used by Kerberos that could result in the use of already freed memory or an attempt to free already freed memory, possibly leading to a crash or allowing the execution of arbitrary code (CVE-2007-5901, CVE-2007-5971).

A flaw was discovered in how the Kerberos krb5kdc handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly %execute arbitrary code using malformed or truncated Kerberos v4 protocol requests (CVE-2008-0062, CVE-2008-0063).

This issue only affects krb5kdc when it has Kerberos v4 protocol compatibility enabled, which is a compiled-in default in all Kerberos versions that Mandriva Linux ships prior to Mandriva Linux 2008.0.
Kerberos v4 protocol support can be disabled by adding v4_mode=none (without quotes) to the [kdcdefaults] section of /etc/kerberos/krb5kdc/kdc.conf.

A flaw in the RPC library as used in Kerberos' kadmind was discovered by Jeff Altman of Secure Endpoints. An unauthenticated remote attacker could use this vulnerability to crash kadmind or possibly execute arbitrary code in systems with certain resource limits configured;
this does not affect the default resource limits used by Mandriva Linux (CVE-2008-0947).

The updated packages have been patched to correct these issues.

A memory management flaw was found in the GSSAPI library used by Kerberos that could result in an attempt to free already freed memory, possibly leading to a crash or allowing the execution of arbitrary code (CVE-2007-5971).

A flaw was discovered in how the Kerberos krb5kdc handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly %execute arbitrary code using malformed or truncated Kerberos v4 protocol requests (CVE-2008-0062, CVE-2008-0063).

This issue only affects krb5kdc when it has Kerberos v4 protocol compatibility enabled, which is a compiled-in default in all Kerberos versions that Mandriva Linux ships prior to Mandriva Linux 2008.0.
Kerberos v4 protocol support can be disabled by adding v4_mode=none (without quotes) to the [kdcdefaults] section of /etc/kerberos/krb5kdc/kdc.conf.

A flaw in the RPC library as used in Kerberos' kadmind was discovered by Jeff Altman of Secure Endpoints. An unauthenticated remote attacker could use this vulnerability to crash kadmind or possibly execute arbitrary code in systems with certain resource limits configured;
this does not affect the default resource limits used by Mandriva Linux (CVE-2008-0947).

The updated packages have been patched to correct these issues.

The remote host is affected by the vulnerability described in GLSA-200803-31 (MIT Kerberos 5: Multiple vulnerabilities)

    Two vulnerabilities were found in the Kerberos 4 support in     KDC: A global variable is not set for some incoming message types,     leading to a NULL pointer dereference or a double free()     (CVE-2008-0062) and unused portions of a buffer are not properly     cleared when generating an error message, which results in stack     content being contained in a reply (CVE-2008-0063).
    Jeff     Altman (Secure Endpoints) discovered a buffer overflow in the RPC     library server code, used in the kadmin server, caused when too many     file descriptors are opened (CVE-2008-0947).
    Venustech AD-LAB     discovered multiple vulnerabilities in the GSSAPI library: usage of a     freed variable in the gss_indicate_mechs() function (CVE-2007-5901) and     a double free() vulnerability in the gss_krb5int_make_seal_token_v3()     function (CVE-2007-5971).
  Impact :

    The first two vulnerabilities can be exploited by a remote     unauthenticated attacker to execute arbitrary code on the host running     krb5kdc, compromise the Kerberos key database or cause a Denial of     Service. These bugs can only be triggered when Kerberos 4 support is     enabled.
    The RPC related vulnerability can be exploited by a remote     unauthenticated attacker to crash kadmind, and theoretically execute     arbitrary code with root privileges or cause database corruption. This     bug can only be triggered in configurations that allow large numbers of     open file descriptors in a process.
    The GSSAPI vulnerabilities could be exploited by a remote attacker to     cause Denial of Service conditions or possibly execute arbitrary code.
  Workaround :

    Kerberos 4 support can be disabled via disabling the 'krb4' USE flag     and recompiling the ebuild, or setting 'v4_mode=none' in the     [kdcdefaults] section of /etc/krb5/kdc.conf. This will only work around     the KDC related vulnerabilities.

This update incorporates fixes included in MITKRB5-SA-2008-001 (use of uninitialized pointer / double-free in the KDC when v4 compatibility is enabled) and MITKRB5-SA-2008-002 (incorrect handling of high-numbered descriptors in the RPC library). This update also incorporates less-critical fixes for a double- free (CVE-2007-5971) and an incorrect attempt to free non-heap memory (CVE-2007-5901) in the GSSAPI library. This update also fixes an incorrect calculation of the length of the absolute path name of a file when the relative path is known and the library needs to look up which SELinux label to apply to the file.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update incorporates fixes included in MITKRB5-SA-2008-001 (use of uninitialized pointer / double-free in the KDC when v4 compatibility is enabled) and MITKRB5-SA-2008-002 (incorrect handling of high-numbered descriptors in the RPC library). This update also incorporates less-critical fixes for a double- free (CVE-2007-5971) and an incorrect attempt to free non-heap memory (CVE-2007-5901) in the GSSAPI library.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several remote vulnerabilities have been discovered in the kdc component of the krb5, a system for authenticating users and services on a network. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-0062     An unauthenticated remote attacker may cause a     krb4-enabled KDC to crash, expose information, or     execute arbitrary code. Successful exploitation of this     vulnerability could compromise the Kerberos key database     and host security on the KDC host.

  - CVE-2008-0063     An unauthenticated remote attacker may cause a     krb4-enabled KDC to expose information. It is     theoretically possible for the exposed information to     include secret key data on some platforms.

  - CVE-2008-0947     An unauthenticated remote attacker can cause memory     corruption in the kadmind process, which is likely to     cause kadmind to crash, resulting in a denial of     service. It is at least theoretically possible for such     corruption to result in database corruption or arbitrary     code execution, though we have no such exploit and are     not aware of any such exploits in use in the wild. In     versions of MIT Kerberos shipped by Debian, this bug can     only be triggered in configurations that allow large     numbers of open file descriptors in a process.

Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC.

A flaw was found in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly execute arbitrary code using malformed or truncated Kerberos v4 protocol requests. (CVE-2008-0062, CVE-2008-0063)

This issue only affected krb5kdc with Kerberos v4 protocol compatibility enabled, which is the default setting on Red Hat Enterprise Linux 4. Kerberos v4 protocol support can be disabled by adding 'v4_mode=none' (without the quotes) to the '[kdcdefaults]' section of /var/kerberos/krb5kdc/kdc.conf.

Red Hat would like to thank MIT for reporting these issues.

A double-free flaw was discovered in the GSSAPI library used by MIT Kerberos. This flaw could possibly cause a crash of the application using the GSSAPI library. (CVE-2007-5971)

All krb5 users are advised to update to these erratum packages which contain backported fixes to correct these issues.

It was discovered that krb5 did not correctly handle certain krb4 requests. An unauthenticated remote attacker could exploit this flaw by sending a specially crafted traffic, which could expose sensitive information, cause a crash, or execute arbitrary code. (CVE-2008-0062, CVE-2008-0063)

A flaw was discovered in the kadmind service's handling of file descriptors. An unauthenticated remote attacker could send specially crafted requests that would cause a crash, resulting in a denial of service. Only systems with configurations allowing large numbers of open file descriptors were vulnerable. (CVE-2008-0947).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes the following security bugs in krb5/krb5-server :

  - null/dangling pointer (needs enabled krb4 support).
    (CVE-2008-0062)

  - possible operations on uninitialized buffer     content/information leak (needs enabled krb4 support).
    (CVE-2008-0063)

  - out-of-bound array access in kadmind's RPC lib.
    (CVE-2008-0947 / CVE-2008-0948)

This update fixes the following security bugs in krb5/krb5-server :

  - CVE-2008-0062: null/dangling pointer (needs enabled krb4     support) 

  - CVE-2008-0063: possible operations on uninitialized     buffer content/information leak (needs enabled krb4     support) 

  - CVE-2008-0947/CVE-2008-0948: out-of-bound array access     in kadmind's RPC lib

Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1 and 3.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC.

A flaw was found in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly execute arbitrary code using malformed or truncated Kerberos v4 protocol requests. (CVE-2008-0062, CVE-2008-0063)

This issue only affected krb5kdc with Kerberos v4 protocol compatibility enabled, which is the default setting on Red Hat Enterprise Linux 4. Kerberos v4 protocol support can be disabled by adding 'v4_mode=none' (without the quotes) to the '[kdcdefaults]' section of /var/kerberos/krb5kdc/kdc.conf.

A flaw was found in the RPC library used by the MIT Kerberos kadmind server. An unauthenticated remote attacker could use this flaw to crash kadmind. This issue only affected systems with certain resource limits configured and did not affect systems using default resource limits used by Red Hat Enterprise Linux 2.1 or 3. (CVE-2008-0948)

Red Hat would like to thank MIT for reporting these issues.

All krb5 users are advised to update to these erratum packages which contain backported fixes to correct these issues.

The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-002 applied. 

This update contains several security fixes for a number of programs.

ID	Name	Product	Family	Severity
67669	Oracle Linux 3 : krb5 (ELSA-2008-0181)	Nessus	Oracle Linux Local Security Checks	critical
67668	Oracle Linux 4 : krb5 (ELSA-2008-0180)	Nessus	Oracle Linux Local Security Checks	high
67664	Oracle Linux 5 : krb5 (ELSA-2008-0164)	Nessus	Oracle Linux Local Security Checks	critical
63850	RHEL 4 : krb5 (RHSA-2008:0182)	Nessus	Red Hat Local Security Checks	high
60373	Scientific Linux Security Update : krb5 on SL3.x, SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	critical
43676	CentOS 5 : krb5 (CESA-2008:0164)	Nessus	CentOS Local Security Checks	critical
40378	VMSA-2008-0009 : Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues	Nessus	VMware ESX Local Security Checks	high
38056	Mandriva Linux Security Advisory : krb5 (MDVSA-2008:069)	Nessus	Mandriva Local Security Checks	critical
37527	Mandriva Linux Security Advisory : krb5 (MDVSA-2008:070)	Nessus	Mandriva Local Security Checks	critical
31671	GLSA-200803-31 : MIT Kerberos 5: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
31670	Fedora 8 : krb5-1.6.2-14.fc8 (2008-2647)	Nessus	Fedora Local Security Checks	critical
31668	Fedora 7 : krb5-1.6.1-9.fc7 (2008-2637)	Nessus	Fedora Local Security Checks	critical
31630	Debian DSA-1524-1 : krb5 - several vulnerabilities	Nessus	Debian Local Security Checks	critical
31627	CentOS 4 : krb5 (CESA-2008:0180)	Nessus	CentOS Local Security Checks	high
31625	Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : krb5 vulnerabilities (USN-587-1)	Nessus	Ubuntu Local Security Checks	critical
31624	SuSE 10 Security Update : Kerberos 5 (ZYPP Patch Number 5082)	Nessus	SuSE Local Security Checks	critical
31623	openSUSE 10 Security Update : krb5 (krb5-5081)	Nessus	SuSE Local Security Checks	critical
31618	RHEL 2.1 / 3 : krb5 (RHSA-2008:0181)	Nessus	Red Hat Local Security Checks	critical
31617	RHEL 4 : krb5 (RHSA-2008:0180)	Nessus	Red Hat Local Security Checks	high
31616	RHEL 5 : krb5 (RHSA-2008:0164)	Nessus	Red Hat Local Security Checks	critical
31609	CentOS 3 : krb5 (CESA-2008:0181)	Nessus	CentOS Local Security Checks	critical
31605	Mac OS X Multiple Vulnerabilities (Security Update 2008-002)	Nessus	MacOS X Local Security Checks	critical

Detections

Analytics

CVE-2008-0063

high

Tenable Plugins

critical

high

critical

high

critical

critical

high

critical

critical

critical

critical

critical

critical

high

critical

critical

critical

critical

high

critical

critical

critical