Last revised: Sep 14, 2001
Source: The MIT Kerberos Team, CERT/CC
A complete revision history is at the end of this file.
The CERT Coordination Center has recently been notified of several
potential buffer overflow vulnerabilities in the Kerberos
authentication software. The most severe vulnerability allows remote
intruders to disrupt normal operations of the Key Distribution Center
(KDC) if an attacker is able to send malformed requests to a realm's
key server.
MIT reports that the following versions are vulnerable to one or
more of these vulnerabilities:
Other versions may be affected as well.
The vulnerabilities discussed in this advisory are different than
the ones discussed in CA-2000-06, Multiple Buffer
Overflows in Kerberos Authenticated Services. The primary
difference is in the impact: the new vulnerabilities do not appear to
allow remote execution of arbitrary code since the buffers being
overrun are statically declared. In addition, only Kerberos 4 and
Kerberos 5 KDC servers that can service version 4 ticket requests are
affected by the buffer overflows discussed here.
There are at least five distinct vulnerabilities in various
versions and implementations of the Kerberos software. All of these
vulnerabilities may be exploited to effect denial-of-service attacks
with varying degrees of severity. These vulnerabilities include
The MIT Kerberos Team described these vulnerabilities in more
detail in an advisory they recently issued. This advisory is
available at
Depending on the version of kerberos, the environment in which its
running, and the particular vulnerability that is exploited, a remote
attacker can cause one or more of the following:
It does not appear that any of these vulnerabilities allows
the execution of code by an intruder.
Additional detail can be found in the MIT advisory.
Appendix A contains information provided by vendors for this
advisory. We will update the appendix as we receive more information.
If you do not see your vendor's name, the CERT/CC did not hear from
that vendor. Please contact your vendor directly. If you are running a Kerberos distribution from MIT and can
rebuild your binaries from source, you can apply the source code
patches from MIT to correct these problems. These patches are
available in the MIT
Advisory.
If you are running other MIT-derived implementations, you need
to apply the appropriate vendor patches and recompile the KDC server
software.
As suggested by MIT, krb4 authentication in some daemons can
be disabled at run time by supplying command-line options to the KDC
server. Optionally, the krb5 distribution may be compiled with the
option '--without-krb4' to disable all krb4 ticket handling by
default.
The vulnerabilities described in this advisory will be addressed in
Kerberos 5 version 1.2. This version will be available from the MIT Kerberos
web site:
The MIT Kerberos Team advisory on this topic is available from:
BSDI is working on a patch for this problem and will announce it
via our normal channels as soon as it is available.
The IBM AFS Kerberos sever shares very little actual code with the original
MIT Kerberos server and the code referred to in this advisory is
specifically not used. We have reviewed the equivalent functions in our
code to eliminate this type of vulnerability.
Versions of kerberos which have been integrated into released
versions of NetBSD and distributed as part of the optional,
not-for-export "secr" sets are vulnerable to some of the problems
cited in the advisory. Integration of the fixes is in progress and
will be announced in a NetBSD security advisory when complete.
[...] we don't distribute client or server binaries with MIT Kerberos
support.
We distribute source that allows building on UNIX and PC with MIT
Kerberos. A site which wants to use Kerberos must build our software
(e.g. Pine, imapd, ipop[23]d) locally in order to use MIT Kerberos.
I did not see anything in this alert that specifically indicates a
problem for [our] clients or servers. As with all other software
built with MIT Kerberos, it would be prudent for a site that uses our
software with MIT Kerberos to rebuild it with the patched version of
MIT Kerberos.
The CERT Coordination Center thanks Tom Yu and the MIT Kerberos
Team for notifying us about these problem and their help in developing
this advisory. Jeff
Havrilla was the primary author of the CERT/CC portions of this
document.
Copyright 2000, 2001 Carnegie Mellon University, portions Copyright 2000 MIT
University. Revision History
Systems Affected
Overview
I. Description
The MIT Kerberos Team Advisory
II. Impact
Any new authentications to kerberized services will not be possible
until the KDC is restarted. Note that this implies that operation of
"kerberized" services will be halted until the KDC is stopped.
III. Solution
Apply a patch from your vendor
Apply the MIT patches
Disable Kerberos version 4 authentication in Kerberos version 5 if possible
Upgrade to MIT Kerberos 5 version 1.2
Appendix A. Vendor Information
MIT Kerberos
BSDI
IBM Corporation
NetBSD
University of Washington
June 9, 2000: Initial release
September 14, 2001: Added IBM statement