View Source

Original issue date: October 25, 2002<br>
Last revised: February 25, 2003<br>
Source: CERT/CC<br>

<p>A complete revision history is at the end of this file.</p>

<h3>Systems Affected</h3>
<ul>
<li>MIT Kerberos version 4 and version 5 up to and including krb5-1.2.6</li>
<li>KTH eBones prior to version 1.2.1 and KTH Heimdal prior to version 0.5.1</li>
<li>Other Kerberos implementations derived from vulnerable MIT or KTH code</li>
</ul>

<h2>Overview</h2>

<p>
Multiple Kerberos distributions contain a remotely exploitable buffer
overflow in the Kerberos administration daemon.  A remote attacker
could exploit this vulnerability to gain root privileges on a
vulnerable system.
</p>

<p>
The CERT/CC has received reports that indicate that this vulnerability
is being exploited.  In addition, MIT advisory <a
href="http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt">MITKRB5-SA-2002-002</a>
notes that an exploit is circulating.
</p>

<p>
We strongly encourage sites that use vulnerable Kerberos
distributions to verify the integrity of their systems and apply
patches or upgrade as appropriate.
</p>

<h2>I. Description</h2>

<p>
Kerberos is a widely used network protocol that uses strong
cryptography to authenticate clients and servers.  The Kerberos
administration daemon (typically called <font face="courier">kadmind</font>) handles password change and other requests to
modify the Kerberos database.  The daemon runs on the master Key
Distribution Center (KDC) server of a Kerberos realm.
</p>
<p>
The code that provides legacy support for the Kerberos 4 administration
protocol contains a remotely exploitable buffer overflow.  The
vulnerable code does not adequately validate data read from a network
request.  This data is subsequently used as an argument to a <font
face="courier">memcpy()</font> call, which can overflow a buffer
allocated on the stack.  An attacker does not have to authenticate in
order to exploit this vulnerability, and the Kerberos administration
daemon runs with root privileges.
</p>
<p>
Both Massachusetts Institute of Technology (<a href="http://web.mit.edu/">MIT</a>) and Kungl Tekniska H&ouml;gskolan (<a href="http://www.kth.se/">KTH</a>) Kerberos are affected, as well as operating systems,
applications, and other Kerberos implementations that use vulnerable
code derived from either the MIT or KTH distributions.  In MIT
Kerberos 5, the Kerberos 4 administration daemon is implemented in
<font face="courier">kadmind4</font>.  In KTH Kerberos 4 (<a
href="http://www.pdc.kth.se/kth-krb/">eBones</a>), the Kerberos
administration daemon is implemented in <font
face="courier">kadmind</font>.  KTH Kerberos 5 (<a
href="http://www.pdc.kth.se/heimdal/">Heimdal</a>) also implements the daemon in <font face="courier">kadmind</font>;
however, the Heimdal daemon is only affected
if compiled with Kerberos 4 support.  Since the vulnerable Kerberos
administration daemon is included in the MIT Kerberos 5 and KTH Heimdal
distributions, both Kerberos 4 sites and Kerberos 5 sites that enable support for the Kerberos 4 administration protocol are affected.
</p>
<p>
Further information about this vulnerability may be found in <a
href="http://www.kb.cert.org/vuls/id/875073">VU#875073</a>.
</p>
<p>
MIT has released an advisory that contains information about
this vulnerability
<blockquote>
<a href="http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt">http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt</a>
</blockquote>
and a document that describes the signature of an attack against <font face="courier">kadmind4</font>:
<blockquote>
<a href="http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_attacksig.txt">http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_attacksig.txt</a>
</blockquote>
</p>
<p>
The KTH eBones and Heimdal web sites also contain information about this vulnerability:
<blockquote>
KTH eBones<br>
<a href="http://www.pdc.kth.se/kth-krb/">http://www.pdc.kth.se/kth-krb/</a><br>
<br>
KTH Heimdal<br>
<a href="http://www.pdc.kth.se/heimdal/">http://www.pdc.kth.se/heimdal/</a>
</blockquote>
</p>
<p>
In addition to resolving the vulnerability described in VU#875073,
version 0.5.1 of KTH Heimdal contains other fixes related to
the KDC and administration servers.  See the ChangeLog for more information:
<blockquote>
<a href="ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.5-0.5.1.diff.gz">ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.5-0.5.1.diff.gz</a>
</blockquote>
</p>

<p>
This vulnerability has been assigned <a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1235">CAN-2002-1235</a>
by the Common Vulnerabilities and Exposures (<a
href="http://cve.mitre.org/">CVE</a>) group.
</p>

<h2>II. Impact</h2>

<p>
An unauthenticated, remote attacker could execute arbitrary code with
root privileges.  If an attacker is able to gain control of a master
KDC, the integrity of the entire Kerberos realm is compromised,
including user and host identities and other systems that
accept Kerberos authentication.
</p>

<h2>III. Solution</h2>

<h4>Apply a patch or upgrade</H4>

<p>
Apply the appropriate patch or upgrade as specified by your vendor.
See <a href="#vendors">Appendix A</a> below and the Systems Affected
section of <a
href="http://www.kb.cert.org/vuls/id/875073#systems">VU#875073</a> for
specific information.
</p>

<h4>Disable vulnerable service</h4>

<p>
Disable support for the Kerberos 4 administration
protocol if it is not needed.  In MIT Kerberos 5, this can be achieved by disabling <font
face="courier">kadmind4</font>.  For information about disabling all
Kerberos 4 support in MIT Kerberos 5 at compile time, see
<blockquote>
<a href="http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC24">http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC24</a>
</blockquote>
In KTH Heimdal, it is necessary to recompile <font
face="courier">kadmind</font> in order to disable support for the
Kerberos 4 administration protocol.  For information about disabling all
Kerberos 4 support in KTH Heimdal at compile time, see
<blockquote>
<a href="http://www.pdc.kth.se/heimdal/heimdal.html#Building%20and%20Installing">http://www.pdc.kth.se/heimdal/heimdal.html#Building%20and%20Installing</a>
</blockquote>
This solution will prevent Kerberos 4 administrative clients from
accessing the Kerberos database.  It will also prevent users with
Kerberos 4 clients from changing their passwords.  In general, the
CERT/CC recommends disabling any service that is not explicitly
required.
</p>

<h4>Block or restrict access</h4>

<p>
Block access to the Kerberos administration service from untrusted
networks such as the Internet.  Furthermore, only allow access to the
service from trusted administrative hosts.  By default, the Kerberos 4
administration daemon listens on 751/tcp and 751/udp, and the Kerberos
5 administration daemon listens on 749/tcp and 749/udp.  It may be
necessary to block access to the Kerberos 5 administration service if
the daemon also supports the Kerberos 4 administration protocol.  This
workaround will prevent administrative connections and password change
requests from blocked networks.  Note that this workaround will not
prevent exploitation, but it will limit the possible sources of
attacks.
</p>

<a name="vendors"></a>
<h2>Appendix A.  Vendor Information</h2>

<p>
This appendix contains information provided by vendors.  When vendors
report new information, this section is updated and the changes are
noted in the revision history.  If a vendor is not listed below, we
have not received their comments.
</p>

<a name="apple">
<h4><a href="http://www.apple.com/">Apple Computer, Inc.</a></h4>
<blockquote>
<p>
The Kerberos Administration Daemon was included in Mac OS X 10.0, but removed in Mac OS X 10.1 and later.<br>
<br>
We encourage sites that use vulnerable Kerberos distributions to verify the integrity of their systems and apply patches or upgrade as appropriate.
</p>
</blockquote>
<!-- end vendor -->

<a name="conectiva">
<h4><a href="http://www.conectiva.com/">Conectiva</a></h4>
<blockquote>
<p>
Our MIT Kerberos 5 packages in Conectiva Linux 8 do contain the vulnerable
kadmind4 daemon, but it is not used by default nor is it installed as a
service.
</p>
<p>
Updated packages are being uploaded to our ftp server and should be available
in a few hours at:
<blockquote>
<a href="ftp://atualizacoes.conectiva.com.br/8/">ftp://atualizacoes.conectiva.com.br/8/</a>
</blockquote>
The krb5-server-1.2.3-3U8_3cl.i386.rpm package contains a patched kadmind4
daemon.  An announcement will be sent to our security mailing list a few hours
after the upload is complete.  [<a href="http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000534&idioma=en">CLSA-2002:534 (English)</a>]
</p>
</blockquote>
<!-- end vendor -->

<a name="cray">
<h4><a href="http://www.cray.com/">Cray</a></h4>
<blockquote>
<p>
Cray, Inc. is not vulnerable as the Kerberos administration daemon is
not included in any of our operating systems.
</p>
</blockquote>
<!-- end vendor -->

<a name="debian">
<h4><a href="http://www.debian.org/">Debian</a></h4>
<blockquote>
<p>
Please see the Debian <a href="http://www.kb.cert.org/vuls/id/AAMN-5F82BF">vendor record</a> in VU#875073.
</p>
</blockquote>
<!-- end vendor -->

<a name="freebsd">
<h4><a href="http://www.freebsd.org/">FreeBSD</a></h4>
<blockquote>
<p>
Both the FreeBSD base Kerberos 4 (kadmind) and Kerberos 5 (k5admind v4
compatibility) daemons were vulnerable and have been corrected as of
23 October 2002.  In addition, the heimdal and krb5 ports contained
the same vulnerability and have been corrected as of 24 October 2002.
A Security Advisory is in progress.  [<a href="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:40.kadmind.asc">FreeBSD-SA-02:40.kadmind</a>]
</p>
</blockquote>
<!-- end vendor -->

<a name="hp">
<h4><a href="http://www.hp.org/">Hewlett-Packard</a></h4>
<blockquote>
<p>
Source:  Hewlett-Packard Company Software Security Response Team<br>
<br>
RE: CERT VU#875073 CA-2002-29<br>
cross reference id: SSRT2396<br>
<br>
HP's implementation for the following Operating Systems Software are
not affected by this potential buffer overflow vulnerability in the
kadmind4 daemon.
<blockquote>
HP-UX<br>
HP-MPE/ix<br>
HP Tru64 UNIX<br>
HP OpenVMS<br>
HP NonStop Servers<br>
</blockquote>
To report potential security vulnerabilities in HP software, send an
E-mail message to: <a href="mailto:security-alert@hp.com">security-alert@hp.com</a>
</p>
</blockquote>
<!-- end vendor -->

<a name="ibm">
<h4><a href="http://www.ibm.com/">IBM</a></h4>
<blockquote>
<p>
The IBM pSeries Parallel Systems Support Programs (PSSP)
implementation of Kerberos V4 (shipped with PSSP) is potentially
vulnerable to the Kerberos V4 administration daemon buffer overflow
described in CA-2002-29.  For more information, see:
<blockquote>
<a href="http://techsupport.services.ibm.com/server/nav?fetch=/spflashes/home.html">http://techsupport.services.ibm.com/server/nav?fetch=/spflashes/home.html</a>
</blockquote>
Click on the Service Flash for "Potential Kerberos V4 security
vulnerability."  This link also contains APAR numbers and solution
information.
</p>
<p>
The IBM Network Authentication Service (NAS) product is not vulnerable
to the buffer overflow vulnerability in the kadmind4 daemon.  NAS is
currently at release 1.3 and is available from the AIX Expansion Pack.
The kadmind4 daemon is not part of the NAS product.
</p>
</blockquote>
<!-- end vendor -->

<a name="kth">
<h4><a href="http://www.kth.se/">KTH Kerberos</a></h4>
<blockquote>
<p>
The eBones and Heimdal web sites have information about this vulnerability:
<blockquote>
KTH eBones<br>
<a href="http://www.pdc.kth.se/kth-krb/">http://www.pdc.kth.se/kth-krb/</a><br>
<br>
KTH Heimdal<br>
<a href="http://www.pdc.kth.se/heimdal/">http://www.pdc.kth.se/heimdal/</a><br>
<a href="ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.4e.kadmind-patch">ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.4e.kadmind-patch</a>
</blockquote>
</p>
</blockquote>
<!-- end vendor -->

<a name="microsoft">
<h4><a href="http://www.microsoft.com/">Microsoft Corporation</a></h4>
<blockquote>
<p>
Microsoft's implementation of Kerberos is not affected by this vulnerability.
</p>
</blockquote>
<!-- end vendor -->

<a name="mit">
<h4><a href="http://web.mit.edu/kerberos/www/">MIT Kerberos</a></h4>
<blockquote>
<p>
MIT has released MIT krb5 Security Advisory 2002-002 that includes a patch and a description of an attack signature:
<blockquote>
<a href="http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt">http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt</a><br>
<a href="http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_patch.txt">http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_patch.txt</a><br>
<a href="http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_attacksig.txt">http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_attacksig.txt</a>
</blockquote>
</p>
</blockquote>
<!-- end vendor -->

<a name="netbsd">
<h4><a href="http://www.netbsd.org/">NetBSD</a></h4>
<blockquote>
<p>
NetBSD has released NetBSD-SA2002-026:
<blockquote>
<a href="ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2002-026.txt.asc">ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2002-026.txt.asc</a>
</blockquote>
</p>
</blockquote>
<!-- end vendor -->

<a name="openbsd">
<h4><a href="http://www.openbsd.org/">OpenBSD</a></h4>
<blockquote>
<p>
OpenBSD has released Security Fix 016 for OpenBSD 3.1 and Security Fix 033 for OpenBSD 3.0.
<blockquote>
OpenBSD 3.1<br>
<a href="http://www.openbsd.org/errata31.html#kadmin">http://www.openbsd.org/errata31.html#kadmin</a><br>
<br>
OpenBSD 3.0<br>
<a href="http://www.openbsd.org/errata30.html#kadmin">http://www.openbsd.org/errata30.html#kadmin</a>
</blockquote>
</p>
</blockquote>
<!-- end vendor -->

<a name="openwall">
<h4><a href="http://www.openwall.com/">Openwall</a></h4>
<blockquote>
<p>
Openwall GNU/*/Linux is not vulnerable.  We don't provide Kerberos.
</p>
</blockquote>
<!-- end vendor -->

<a name="redhat">
<h4><a href="http://www.redhat.com/">Red Hat, Inc.</a></h4>
<blockquote>
<p>
Releases of Red Hat Linux version 6.2 and higher include versions of
MIT Kerberos that are vulnerable to this issue; however the vulnerable
administration server, kadmind4, has never been enabled by default.
We are currently working on producing errata packages.  When complete
these will be available along with our advisory at the URL below.  At
the same time users of the Red Hat Network will be able to update
their systems using the 'up2date' tool.
<blockquote>
<a href="http://rhn.redhat.com/errata/RHSA-2002-242.html">http://rhn.redhat.com/errata/RHSA-2002-242.html</a>
</blockquote>
</p>
</blockquote>
<!-- end vendor -->

<a name="sun">
<h4><a href="http://www.sun.com/">Sun</a></h4>
<blockquote>
<p>
The Sun Enterprise Authentication Mechanism (SEAM), Sun's
implementation of the Kerberos v5 protocols, is not affected by this
issue.  SEAM does not include support for the Kerberos v4 protocols
and kadmind4 does not exist.  Additional information regarding SEAM is
available from:
<blockquote>
<a href="http://wwws.sun.com/software/security/kerberos/">http://wwws.sun.com/software/security/kerberos/</a>
</blockquote>
</p>
</blockquote>
<!-- end vendor -->

<a name="suse">
<h4><a href="http://www.suse.com/">SuSE</a></h4>
<blockquote>
<p>
SuSE Linux 7.2 and later are shipped with Heimdal Kerberos included,
but Kerberos 4 support is disabled in all releases.  Therefore, SuSE
Linux and SuSE Enterprise Linux are not affected by this bug.
</p>
</blockquote>
<!-- end vendor -->

<a name="wrs">
<a name="bsdi">
<h4><a href="http://www.windriver.com/products/bsd_os/index.html">Wind River Systems (BSDI)</a></h4>
<blockquote>
<p>
No version of BSD/OS is vulnerable to this problem.
</p>
</blockquote>
<!-- end vendor -->

<a name="xerox">
<h4><a href="http://www.xerox.com/">Xerox</a></h4>
<blockquote>
<p>
A response to this advisory is available from our web site:<br>
<a href="http://www.xerox.com/security/">http://www.xerox.com/security</a>.
</p>
</blockquote>
<!-- end vendor -->

<br>
<a name="references"></a>
<h2>Appendix B.  References</h2>
<ul>
<li><a href="http://web.mit.edu/kerberos/www/">http://web.mit.edu/kerberos/www/</a></li>
<li><a href="http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt">http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt</a></li>
<li><a href="http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_patch.txt">http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_patch.txt</a></li>
<li><a href="http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_attacksig.txt">http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_attacksig.txt</a></li>
<li><a href="http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC24">http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC24</a>
<li><a href="http://www.pdc.kth.se/kth-krb/">http://www.pdc.kth.se/kth-krb/</a></li>
<li><a href="http://www.pdc.kth.se/heimdal/">http://www.pdc.kth.se/heimdal/</a></li>
<li><a href="http://www.pdc.kth.se/heimdal/heimdal.html#Building%20and%20Installing">http://www.pdc.kth.se/heimdal/heimdal.html#Building%20and%20Installing</a>
<li><a href="ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.4e.kadmind-patch">ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.4e.kadmind-patch</a></li>
</ul>

<hr noshade>
<p>
The CERT Coordination Center thanks the <a href="http://www.mit.edu">MIT</a> and <a href="http://www.kth.se/">KTH</a> Kerberos development teams for information used in this document.
</p>
<hr noshade>
<p>
Authors: <a href="mailto:cert@cert.org?subject=CA-2002-29%20VU%23875073%20Feedback">Art Manion and Jason A. Rafail</a>.
</p>


<!--#include virtual="/include/footer_nocopyright.html" -->

<p>Copyright 2002 Carnegie Mellon University.</p>

<p>Revision History
<p>
<small>
October 25, 2002:  Initial release<br>
October 25, 2002:  Removed incorrect references to Debian advisory DSA-178 and SuSE advisory SuSE-SA:2002:034, added link to Heimdal 0.4e patch, added link to Debian vendor record in VU#875073<br>
October 26, 2002:  Added IBM and Red Hat vendor statements<br>
October 28, 2002:  Added link to MIT attack signature, updated MIT vendor statement, added statement thanking MIT and KTH<br>
October 29, 2002:  Added Sun vendor statement, corrected kth-krb links<br>
October 30, 2002:  Updated IBM vendor statement<br>
November 6, 2002:  Updated Conectiva statement<br>
November 15, 2002:  Added HP and Cray statements, updated FreeBSD statement, changed wording about other Heimdal 0.5.1 fixes<br>
February 13, 2003:  Added Xerox statement<br>
February 25, 2003:  Updated Xerox statement<br>
</small>
</p>