View Source

Original release date: June 9, 2000<BR>
Last revised: Sep 14, 2001<BR>
Source: The MIT Kerberos Team, CERT/CC<BR>

<P>A complete revision history is at the end of this file.

<A NAME="affected">
<H3>Systems Affected</H3>

<UL>
<LI>Systems with MIT-derived implementations of the Kerberos 4
KDC</LI> <LI>Systems with MIT-derived implementations of the Kerberos
5 KDC enabled to handle krb4 ticket requests</LI>
</UL>

<A NAME="overview">
<H2>Overview</H2>

<P>The CERT Coordination Center has recently been notified of several
potential buffer overflow vulnerabilities in the Kerberos
authentication software. The most severe vulnerability allows remote
intruders to disrupt normal operations of the Key Distribution Center
(KDC) if an attacker is able to send malformed requests to a realm's
key server.

<P>MIT reports that the following versions are vulnerable to one or
more of these vulnerabilities: 

<UL>
<LI>	MIT Kerberos 5 releases krb5-1.0.x, krb5-1.1, krb5-1.1.1
<LI>	MIT Kerberos 4 patch 10, and probably earlier releases as well
<LI>	KerbNet (Cygnus implementation of Kerberos 5)
<LI>	Cygnus Network Security (CNS -- Cygnus implementation of
		Kerberos 4)
</UL>

<p>Other versions may be affected as well. 

<P>The vulnerabilities discussed in this advisory are different than
the ones discussed in <a
href="/advisories/CA-2000-06.html">CA-2000-06, Multiple Buffer
Overflows in Kerberos Authenticated Services</a>. The primary
difference is in the impact: the new vulnerabilities do not appear to
allow remote execution of arbitrary code since the buffers being
overrun are statically declared. In addition, only Kerberos 4 and
Kerberos 5 KDC servers that can service version 4 ticket requests are
affected by the buffer overflows discussed here.


<A NAME="description">
<H2>I. Description</H2>

<P>There are at least five distinct vulnerabilities in various
versions and implementations of the Kerberos software. All of these
vulnerabilities may be exploited to effect denial-of-service attacks
with varying degrees of severity. These vulnerabilities include 

<UL>

<A NAME="set_tgtkey:lastrealm">
<li>The buffer used to hold the variable <i>lastrealm</i> in the
function set_tgtkey() can be owerflowed.

<A NAME="process_v4:local_realm">
<li>The buffer used to hold the variable <i>localrealm</i> in the
function process_v4() can be overflowed.

<A NAME=kerb_err_reply:e_msg"> <li>The buffer to hold the variable
<i>e_msg</i> in the function kerb_err_reply() can be overflowed.

<A NAME="kerberos:AUTH_MSG_KDC_REQUEST">
<li>The code that services AUTH_MSG_KDC_REQUESTs does not properly check
for null-termination. 

<A NAME="doublefree">
<li>Memory that has previously been freed may be improperly freed
again, possibly resulting in unstable operation.
</ul>

<H3>The MIT Kerberos Team Advisory</H3>

<P>The MIT Kerberos Team described these vulnerabilities in more
detail in an advisory they recently issued.  This advisory is
available at

<dl>
<dd>
<A
HREF="http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt">http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt</a>
<P>
</dd>
</dl>

<A NAME="impact">
<H2>II. Impact</H2>

<p>Depending on the version of kerberos, the environment in which its
running, and the particular vulnerability that is exploited, a remote
attacker can cause one or more of the following:
<ul>

<li>The KDC to issue invalid tickets for all principles, 

<li>The KDC to generate a "principal
unknown" error, or 

<li>The KDC process to crash. 
</ul>

Any new authentications to kerberized services will not be possible
until the KDC is restarted. Note that this implies that operation of
"kerberized" services will be halted until the KDC is stopped.

<p>It does not appear that any of these vulnerabilities allows
the execution of code by an intruder.

<p>Additional detail can be found in the MIT advisory. 

<A NAME="solution">
<H2>III. Solution</H2>

<H4>Apply a patch from your vendor</H4>

<P>Appendix A contains information provided by vendors for this
advisory. We will update the appendix as we receive more information.
If you do not see your vendor's name, the CERT/CC did not hear from
that vendor. Please contact your vendor directly.</P>

<H4>Apply the MIT patches</H4>

<P>If you are running a Kerberos distribution from MIT and can
rebuild your binaries from source, you can apply the source code
patches from MIT to correct these problems. These patches are
available in the <A
HREF="http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt">MIT
Advisory</a>. 


<P>If you are running other MIT-derived implementations, you need
to apply the appropriate vendor patches and recompile the KDC server
software.

<H4>Disable Kerberos version 4 authentication in Kerberos version 5 if possible</H4>

<P>As suggested by MIT, krb4 authentication in some daemons can
be disabled at run time by supplying command-line options to the KDC
server. Optionally, the krb5 distribution may be compiled with the
option '--without-krb4' to disable all krb4 ticket handling by
default.

<H4>Upgrade to MIT Kerberos 5 version 1.2</H4>

<P>The vulnerabilities described in this advisory will be addressed in
Kerberos 5 version 1.2. This version will be available from the MIT Kerberos
web site: 

<DL><DD>
<A HREF="http://web.mit.edu/kerberos/www/">
http://web.mit.edu/kerberos/www/</A>
</DL>

<P>

<A NAME="vendors">
<H2>Appendix A. Vendor Information</H2>


<A NAME="mit">
<H4>MIT Kerberos</H4>

<P>The MIT Kerberos Team advisory on this topic is available from:

<DL><DD>
<A HREF="http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt">
http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt</A>
</DL>


<A NAME="bsdi">
<H4>BSDI</H4>

<p>BSDI is working on a patch for this problem and will announce it
via our normal channels as soon as it is available.

<A NAME="ibm">
<H4>IBM Corporation</H4>

<P>The IBM AFS Kerberos sever shares very little actual code with the original
MIT Kerberos server and the code referred to in this advisory is
specifically not used. We have reviewed the equivalent functions in our
code to eliminate this type of vulnerability.

<A NAME="netbsd">
<H4>NetBSD</H4>

<p>Versions of kerberos which have been integrated into released
versions of NetBSD and distributed as part of the optional,
not-for-export "secr" sets are vulnerable to some of the problems
cited in the advisory.  Integration of the fixes is in progress and
will be announced in a NetBSD security advisory when complete.

<A NAME="uwash">
<H4>University of Washington</H4>

<p>[...] we don't distribute client or server binaries with MIT Kerberos
support.  

<p>We distribute source that allows building on UNIX and PC with MIT
Kerberos.  A site which wants to use Kerberos must build our software
(e.g. Pine, imapd, ipop[23]d) locally in order to use MIT Kerberos.

<p>I did not see anything in this alert that specifically indicates a
problem for [our] clients or servers.  As with all other software
built with MIT Kerberos, it would be prudent for a site that uses our
software with MIT Kerberos to rebuild it with the patched version of
MIT Kerberos.

<HR NOSHADE>

<P>The CERT Coordination Center thanks Tom Yu and the <a href="http://web.mit.edu/kerberos/www/krbdev.html">MIT Kerberos
Team</a> for notifying us about these problem and their help in developing
this advisory.</P>

<HR NOSHADE>

<P><a href="mailto:cert@cert.org?subject=CA-2000-11%20Feedback">Jeff
Havrilla</a> was the primary author of the CERT/CC portions of this
document.

<P></P>

<!--#include virtual="/include/footer_nocopyright.html" -->

<P>Copyright 2000, 2001 Carnegie Mellon University, portions Copyright 2000 MIT
University.</P>

<P>Revision History
<PRE>
June 9, 2000:  Initial release
September 14, 2001:	Added IBM statement
</PRE>