[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
UNIRAS Brief - 471/04 - MIT krb5 Security Advisory 2004-003
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------------------
UNIRAS (UK Govt CERT) Briefing Notice - 471/04 dated 01.09.04. Time: 14:35
UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ----------------------------------------------------------------------------------
UNIRAS material is also available from its website at www.uniras.gov.uk and
Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------
Title
=====
Two MIT Security Advisories:
1. MIT krb5 Security Advisory 2004-003 - ASN.1 decoder denial of service
2. MIT krb5 Security Advisory 2004-002 - double-free vulnerabilities in KDC and libraries
Detail
======
1. The ASN.1 decoder library in the MIT Kerberos 5 distribution is vulnerable to a denial-of-service
attack causing an infinite loop in the decoder. The KDC is vulnerable to this attack.
2. The MIT Kerberos 5 implementation's Key Distribution Center (KDC) program contains a double-free
vulnerability that potentially allows a remote attacker to execute arbitrary code. Compromise of a
KDC host compromises the security of the entire authentication realm served by the KDC. Additionally,
double-free vulnerabilities exist in MIT Kerberos 5 library code, making client programs and
application servers vulnerable.
1.
MIT krb5 Security Advisory 2004-003
Original release: 2004-08-31
Topic: ASN.1 decoder denial of service
Severity: serious
SUMMARY
=======
The ASN.1 decoder library in the MIT Kerberos 5 distribution is vulnerable to a denial-of-service
attack causing an infinite loop in the decoder. The KDC is vulnerable to this attack.
IMPACT
======
* An unauthenticated remote attacker can cause a KDC or application
server to hang inside an infinite loop. [CAN-2004-0644]
* An attacker impersonating a legitimate KDC or application server may
cause a client program to hang inside an infinite
loop. [CAN-2004-0644]
AFFECTED SOFTWARE
=================
* KDC software and applications from MIT Kerberos 5 releases
krb5-1.2.2 through krb5-1.3.4.
* Applications using the MIT krb5 libraries from the above releases.
FIXES
=====
* The upcoming krb5-1.3.5 release will contain fixes for these
problems.
* Apply the appropriate patch referenced below, and rebuild the software.
Patches available:
* Patch against krb5-1.3.4 (should apply to earlier krb5-1.3.x releases)
* Patch against krb5-1.2.8 (should apply to releases krb5-1.2.2
through krb5-1.2.7 as well)
PATCH AGAINST krb5-1.3.4
========================
* This patch was generated against krb5-1.3.4; it may
apply, with some offset, to earlier krb5-1.3.x releases.
This patch may also be found at:
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.3.4.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.3.4.txt.asc
Index: src/lib/krb5/asn.1/asn1buf.c ===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/asn1buf.c,v
retrieving revision 5.24
*** src/lib/krb5/asn.1/asn1buf.c 12 Mar 2003 04:33:30 -0000 5.24
- - --- src/lib/krb5/asn.1/asn1buf.c 23 Aug 2004 03:43:47 -0000
***************
*** 122,127 ****
- - --- 122,129 ----
return ASN1_OVERRUN;
}
while (nestlevel > 0) {
+ if (buf->bound - buf->next + 1 <= 0)
+ return ASN1_OVERRUN;
retval = asn1_get_tag_2(buf, &t);
if (retval) return retval;
if (!t.indef) {
PATCH AGAINST krb5-1.2.8
========================
* This patch was generated against krb5-1.2.8; it may apply, with some
offset, to releases krb5-1.2.2 through krb5-1.2.7. You are strongly
encouraged to update to a release from the krb5-1.3.x series.
This patch may also be found at:
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.2.8.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.2.8.txt.asc
Index: src/lib/krb5/asn.1/asn1buf.c ===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/asn1buf.c,v
retrieving revision 5.19.2.1
diff -c -r5.19.2.1 asn1buf.c
*** src/lib/krb5/asn.1/asn1buf.c 31 Jan 2001 18:00:12 -0000 5.19.2.1
- - --- src/lib/krb5/asn.1/asn1buf.c 23 Aug 2004 03:54:50 -0000
***************
*** 140,145 ****
- - --- 140,147 ----
return ASN1_OVERRUN;
}
while (nestlevel > 0) {
+ if (buf->bound - buf->next + 1 <= 0)
+ return ASN1_OVERRUN;
retval = asn1_get_tag_indef(buf, &class, &construction, &tagnum,
&taglen, &tagindef);
if (retval) return retval;
REFERENCES
==========
This announcement and related security advisories may be found on the MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CERT VU#550464
http://www.kb.cert.org/vuls/id/550464
CVE CAN-2004-0644
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0644
ASN.1 decoder bug in MIT Kerberos 5 releases krb5-1.2.2
through krb5-1.3.4 allows unauthenticated remote attackers to
induce infinite loop, causing denial of service, including in
KDC code
ACKNOWLEDGMENTS
===============
Thanks to Will Fiveash and Nico Williams at Sun for finding this vulnerability.
DETAILS
=======
The ASN.1 decoder in the MIT krb5 library handles indefinite-length BER encodings for the purpose of backwards compatibility with some non-conformant implementations. The ASN.1 decoders call
asn1buf_sync() to skip any trailing unrecognized fields in the encoding of a SEQUENCE type. asn1buf_sync() calls asn1buf_skiptail() if the ASN.1 SEQUENCE type being decoded was encoded with an indefinite length. asn1buf_sync() is provided with a prefetched BER tag; a placeholder tag is provided by the prefetching code in the case where there is are no more octets in a sub-encoding.
The loop in asn1buf_skiptail() which attempts to skip trailing sub-encodings of an indefinite-length SEQUENCE type does not properly check for end-of-subbuffer conditions or for the placeholder tag,
leading to an infinite loop. Valid BER encodings cannot cause this
condition; however, it is trivial to construct a corrupt encoding which will trigger the infinite loop.
REVISION HISTORY
================
2004-08-31 original release
Copyright (C) 2004 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)
iQCVAwUBQTTAIKbDgE/zdoE9AQHyngP+OiwJxYxeHuhNjyXMyCr79mqJcsPP17DB
tsDgQ9jZiD0m+I7rgu+PmPJQfl8qgfEZsEsW5QXppJoC0gIICSqdWbYypXjVzEfh
N7g8ydTIOkKk5WP+ahisWyHiIWg/iX66dDLupzxufgb+1p/2CwoXgTszCBlQP67o
3LMSqXJGDfw=
=RAVs
- -----END PGP SIGNATURE-----
2.
MIT krb5 Security Advisory 2004-002
double-free vulnerabilities in KDC and libraries
1 September 2004
Product: MIT Kerberos 5 Key Distribution Center
Publisher: MIT
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CAN-2004-0642 CAN-2004-0772 CAN-2004-0643
Ref: ESB-2004.0548
ESB-2004.0549
ESB-2004.0550
- --
- - -----BEGIN PGP SIGNED MESSAGE-----
MIT krb5 Security Advisory 2004-002
Original release: 2004-08-31
Topic: double-free vulnerabilities in KDC and libraries
Severity: CRITICAL
SUMMARY
=======
The MIT Kerberos 5 implementation's Key Distribution Center (KDC) program contains a double-free vulnerability that potentially allows a remote attacker to execute arbitrary code. Compromise of a KDC host compromises the security of the entire authentication realm served by the KDC. Additionally, double-free vulnerabilities exist in MIT Kerberos 5 library code, making client programs and application servers vulnerable.
Exploitation of double-free bugs is believed to be difficult. No exploits are known to exist for these vulnerabilities.
IMPACT
======
* A unauthenticated remote attacker can potentially execute arbitrary
code on a KDC host, compromising an entire Kerberos
realm. [CAN-2004-0642]
* A remote attacker can potentially execute arbitrary code on a host
running krb524d, possibly compromising an entire Kerberos realm if
the host is a KDC host. [CAN-2004-0772]
* An authenticated attacker can also potentially execute arbitrary
code on hosts running vulnerable services. [CAN-2004-0643]
* An attacker impersonating a legitimate KDC or application server can
potentially execute arbitrary code on a client host while the client
is authenticating. [CAN-2004-0642]
AFFECTED SOFTWARE
=================
* KDC software from all releases of MIT Kerberos 5 up to and including
krb5-1.3.4. [CAN-2004-0642]
* The krb524d program from krb5-1.2.8 and later. The krb524d present
in earlier releases is vulnerable if it has been patched to disable
krb4 cross-realm functionality. [CAN-2004-0772]
* Applications calling the krb5_rd_cred() function in releases prior
to krb5-1.3.2. Such applications in the MIT krb5 releases include
the remote login daemons (krshd, klogind, and telnetd) and the FTP
daemon. The krb5_rd_cred() function decrypts and decodes forwarded
Kerberos credentials. Third-party applications calling this
function directly or indirectly (by means of the GSSAPI or other
libraries) are vulnerable. [CAN-2004-0643]
* Client code from all releases of MIT Kerberos 5 up to and including
krb5-1.3.4. Third-party applications directly or indirectly calling
client library functions may also be vulnerable. [CAN-2004-0642]
FIXES
=====
* The upcoming krb5-1.3.5 release will contain fixes for these
problems.
* Apply the appropriate patch or patches referenced below, and rebuild
the software.
- If you are running krb5-1.3 through krb5-1.3.4, apply
2004-002-patch_1.3.4.txt.
- If you are running krb5-1.3 through krb5-1.3.1, apply
2004-002-patch_1.3.1.txt.
- If you are running krb5-1.2.8, apply
2004-002-patch_1.2.8.txt.
- Things become more complicated if you are running krb5-1.2 through
krb5-1.2.7. The correct set of patches to apply will depend on
whether you have applied the patches to disable krb4 cross-realm
functionality [MITKRB5-SA-2003-004].
+ If you are running krb5-1.2.6 through krb5-1.2.7, and have
applied the patches to disable krb4 cross-realm functionality,
apply 2004-002-patch_1.2.8.txt.
+ If you are running krb5-1.2 through krb5-1.2.5, and have applied
the patches to disable krb4 cross-realm functionality, apply
2004-002-patch_1.2.7.txt, followed by
2004-002-k524d_patch_1.2.5.txt.
+ If you are running krb5-1.2 through krb5-1.2.7, and have not
applied the patches to disable krb4 cross-realm functionality,
apply 2004-002-patch_1.2.7.txt.
Summary chart of patches to apply for releases krb5-1.2 through krb5-1.2.7:
| patched for 2003-004 | not patched for 2003-004
-----------+--------------------------------+--------------------------
krb5-1.2.7 | |
-----------+ 2004-002-patch_1.2.8.txt |
krb5-1.2.6 | |
-----------+--------------------------------+ 2004-002-patch_1.2.7.txt
krb5-1.2.5 | 2004-002-patch_1.2.7.txt |
through | and |
krb5-1.2 | 2004-002-k524d_patch_1.2.5.txt |
Patches available:
* Patch for krb5-1.3.4 (2004-002-patch_1.3.4.txt)
* Patch for krb5-1.3.1 (2004-002-patch_1.3.1.txt)
* Patch for krb5-1.2.8 (2004-002-patch_1.2.8.txt)
* Patch for krb5-1.2.7 (2004-002-patch_1.2.7.txt)
* Patch for krb524d in krb5-1.2.5 which has been previously patched
to disable krb4 cross-realm (2004-002-k524d_patch_1.2.5.txt)
Note: Each patch are generated against the specific release noted above. The patches may apply with some offset against other compatible releases listed above.
2004-002-patch_1.3.4.txt
========================
http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.4.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.4.txt.asc
2004-002-patch_1.3.1.txt
========================
http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.1.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.1.txt.asc
2004-002-patch_1.2.8.txt
========================
http://web.mit.edu/kerberos/advisories/2004-002-patch_1.2.8.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/advisories/2004-002-patch_128.txt.asc
2004-002-patch_1.2.7.txt
========================
http://web.mit.edu/kerberos/advisories/2004-002-patch_1.2.7.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/advisories/2004-002-patch_1.2.7.txt.asc
2004-002-k524d_patch_1.2.5.txt
==============================
http://web.mit.edu/kerberos/advisories/2004-002-k524d_patch_1.2.5.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/advisories/2004-002-k524d_patch_1.2.5.txt.asc
REFERENCES
==========
This announcement and related security advisories may be found on the MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CERT VU#795632
http://www.kb.cert.org/vuls/id/795632
CVE CAN-2004-0642
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0642
KDC and client libraries double-free on error conditions in
MIT Kerberos 5 releases krb5-1.3.4 and earlier, allowing
unauthenticated remote attackers to execute arbitrary code
CERT VU#866472
http://www.kb.cert.org/vuls/id/866472
CVE CAN-2004-0643
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0643
krb5_rd_cred() double-frees on error conditions in MIT
Kerberos 5 releases krb5-1.3.1 and earlier, allowing
authenticated attackers to execute arbitrary code
VU#350792
http://www.kb.cert.org/vuls/id/350792
CVE CAN-2004-0772
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0772
krb524d in krb5-1.2.8 and later double-frees on error
conditions, allowing remote attackers to execute arbitrary
code. Earlier releases patched for the krb4 protocol
vulnerability [MITKRB5-SA-2003-004] are also vulnerable.
ACKNOWLEDGMENTS
===============
Thanks to Will Fiveash and Nico Williams at Sun for finding some of these vulnerabilities and for providing initial patches.
Thanks to Marc Horowitz for discovering the krb524d vulnerability.
Thanks to Nalin Dahyabhai for providing a corrected patch for krb524d in releases krb5-1.2 through krb5-1.2.5 in cases where krb524d has been patched to disable krb4 cross-realm functionality.
Thanks to Joseph Galbraith and John Hawkinson, who both independently discovered the double-free in krb5_rd_cred() which was corrected in release krb5-1.3.2.
DETAILS
=======
In the MIT krb5 library, in all releases up to and including krb5-1.3.4, ASN.1 decoder functions and their callers do not use a consistent set of memory management conventions. The callers expect the decoders to allocate memory. The callers typically have error-handling code which frees memory allocated by the ASN.1 decoders if pointers to the allocated memory are non-null. Upon encountering error conditions, the ASN.1 decoders themselves free memory which they have allocated, but do not null the corresponding pointers. When some library functions receive errors from the ASN.1 decoders, they attempt to pass the non-null pointer (which points to freed memory) to free(), causing a double-free.
In all releases of MIT krb5 up to and including krb5-1.3.4, cleanup code in the KDC frees memory returned by ASN.1 decoders. This cleanup code only frees memory pointed to by non-null pointers, but if an ASN.1 decoder returns an error, the cleanup code will free memory previously freed by the decoder.
Implementations of krb5_rd_cred() prior to the krb5-1.3.2 release contained code to explicitly free the buffer returned by the ASN.1 decoder function decode_krb5_enc_cred_part() when the decoder returns an error. This is another double-free, since the decoder would itself free the buffer on error. Since decode_krb5_enc_cred_part() does not get called unless the decryption of the encrypted part of the KRB-CRED is successful, the attacker needs to have authenticated. This code was corrected in the krb5-1.3.2 release.
The patch (introduced in krb5-1.2.8 and present in all subsequent
releases) for disabling krb4 cross-realm authentication in krb524d introduced a double-free vulnerability. If handle_classic_v4() denies the conversion of a cross-realm ticket, v5tkt->enc_part2 gets freed but not nulled, so do_connection() double-frees many things when it subsequently calls krb5_free_ticket().
REVISION HISTORY
================
2004-08-31 original release
Copyright (C) 2004 Massachusetts Institute of Technology
- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)
iQCVAwUBQTTAUabDgE/zdoE9AQHSFwP/S0bIduge4dDmZiTlDEUa5L1CjESpAq3O
905Ru47xTmKqKpCC6cpIxpFqeXZAZkc8HzIp4kaZUNJ3+cik2Mg+YSdP5mM9ys67
geZZoF6pufgh9Ym4gMK6YJjYxsJgSrEbcpgrYv710GEy1SqsE2o7O0Y5WSYv3Df+
8Nz22+QoVzw=
=dpRb
- - -----END PGP SIGNATURE-----
- ----------------------------------------------------------------------------------
For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via
EMail to: uniras@xxxxxxxxxxxx
Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749
Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts
- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of MIT for the information
contained in this Briefing.
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQCVAwUBQTXRXopao72zK539AQE7GAP/Zj+FoJsgPaVOMyadhinj0snexpxjoDTz
UGwM3b5hi3t+50BRH9kYn08IgiRCpEFOehnAozArLiMPJwmkiGR2mKOv5mRpL6jM
GtFPpfC3oG4+E0hAoOuoAa9+tbYmBJBXUfte0N3lEaX7erNt4zHb4GbeP2iSNT/m
tQBZzHHXr2E=
=X3KA
-----END PGP SIGNATURE-----