[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
UNIRAS Brief - 481/04 - 2 US-CERT Technical Cyber Security Bulletins - Multiple Vulnerabilities in Oracle Products/Vulnerabilities in MIT Kerberos 5
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------------------
UNIRAS (UK Govt CERT) Briefing Notice - 481/04 dated 06.09.04 Time: 12:30
UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ----------------------------------------------------------------------------------
UNIRAS material is also available from its website at www.uniras.gov.uk and
Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------
Title
=====
US-CERT Technical Cyber Security Bulletin:
1. Multiple Vulnerabilities in Oracle Products.
2. Vulnerabilities in MIT Kerberos 5.
Detail
======
1. Several vulnerabilities exist in the Oracle Database Server,Application Server,
and Enterprise Manager software. The most serious vulnerabilities could allow a
remote attacker to execute arbitrary code on an affected system.
2. The MIT Kerberos 5 implementation contains several vulnerabilities,the most severe
of which could allow an unauthenticated, remote attacker to execute arbitrary code
on a Kerberos Distribution Center(KDC). This could result in the compromise of an
entire Kerberos realm.
- -----------------------------------------------------------------------------------
1.
- -----------------------------------------------------------------------------------
Technical Cyber Security Alert TA04-245A
Multiple Vulnerabilities in Oracle Products
Original release date: September 1, 2004
Last revised: --
Source: US-CERT
Systems Affected
The following Oracle applications are affected:
* Oracle Database 10g Release 1, version 10.1.0.2
* Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5
* Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and
9.0.4
* Oracle8i Database Server Release 3, version 8.1.7.4
* Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2
* Oracle Enterprise Manager Database Control 10g, version 10.1.0.2
* Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and
9.0.4.1
* Oracle9i Application Server Release 2, versions 9.0.2.3 and
9.0.3.1
* Oracle9i Application Server Release 1, version 1.0.2.2
Oracle's Collaboration Suite and E-Business Suite 11i contain some of
the vulnerable components and are also affected.
According to Oracle, the following product releases and versions, and
all future releases and versions are not affected:
* Oracle Database 10g Release 1, version 10.1.0.3
* Oracle Enterprise Manager Grid Control 10g, version 10.1.0.3 (not
yet available)
* Oracle Application Server 10g (9.0.4), version 9.0.4.2 (not yet
available)
Overview
Several vulnerabilities exist in the Oracle Database Server,
Application Server, and Enterprise Manager software. The most serious
vulnerabilities could allow a remote attacker to execute arbitrary
code on an affected system. Oracle's Collaboration Suite and
E-Business Suite 11i contain the vulnerable software and are affected
as well.
I. Description
Several vulnerabilities have been reported in Oracle's Database
Server, Application Server, and Enterprise Manager software. According
to reports, several buffer overflow, format string, SQL injection and
other types of vulnerabilities were discovered and reported to Oracle.
Oracle has released Oracle Security Alert #68 (pdf) to address these
vulnerabilities. We are tracking them as follows:
VU#170830 - Oracle Enterprise Manager contains several
vulnerabilities
VU#316206 - Oracle Database Server contains several vulnerabilities
VU#435974 - Oracle Application Server contains several
vulnerabilities
As more information becomes available, we will update these
vulnerability notes as appropriate.
II. Impact
The impacts of the vulnerabilities described above are unclear.
According to credible reports, the impacts of these vulnerabilities
range from the remote unauthenticated execution arbitrary code to data
corruption or leakage.
III. Solution
Apply a patch or upgrade
Apply the appropriate patch or upgrade as specified in the Oracle
Security Alert #68 (pdf).
Organizations that use Oracle's Collaboration Suite or E-Business
Suite 11i should see Oracle Security Alert #68 (pdf) for remediation
instructions.
Appendix A. References
* Oracle Security Alert #68 (pdf) - <
http://www.oracle.com/technology/deploy/security/pdf/2004alert68.p
df>
* US-CERT Vulnerability Note VU#316206 -
<http://www.kb.cert.org/vuls/id/316206>
* US-CERT Vulnerability Note VU#435974 -
<http://www.kb.cert.org/vuls/id/435974>
* US-CERT Vulnerability Note VU#170830 -
<http://www.kb.cert.org/vuls/id/170830>
_________________________________________________________________
US-CERT thanks all the parties involved in researching and reporting
these vulnerabilities. Specifically, Oracle credits the people for
discovering these issues: David Litchfield, Michael Litchfield, Cesar
Cerrudo, Pete Finnigan, Jonathan Gennick, Alexander Kornbrust, Stephen
Kost, Matt Moore, Aaron Newman, Andy Rees, and Christian Schaller.
_________________________________________________________________
Feedback can be directed to the author: Jason A. Rafail.
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/techalerts/TA04-245A.html>
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
Sep 1, 2004: Initial release
Last updated September 01, 2004
- ----------------------------------------------------------------------------------
2.
- ----------------------------------------------------------------------------------
National Cyber Alert System
Technical Cyber Security Alert TA04-247A
Vulnerabilities in MIT Kerberos 5
Original release date: September 3, 2004
Last revised: --
Source: US-CERT
Systems Affected
* MIT Kerberos 5 versions prior to krb5-1.3.5
* Applications that use versions of MIT Kerberos 5 libraries prior
to krb5-1.3.5
* Applications that contain code derived from MIT Kerberos 5
Updated vendor information is available in the systems affected
section of the individual vulnerability notes.
Overview
The MIT Kerberos 5 implementation contains several vulnerabilities,
the most severe of which could allow an unauthenticated, remote
attacker to execute arbitrary code on a Kerberos Distribution Center
(KDC). This could result in the compromise of an entire Kerberos
realm.
I. Description
There are several vulnerabilities in the MIT implementation of the
Kerberos 5 protocol. With one exception (VU#550464), all of the
vulnerabilities involve insecure deallocation of heap memory
(double-free vulnerabilities) during error handling and Abstract
Syntax Notation One (ASN.1) decoding. For further details, please see
the following vulnerability notes:
VU#795632 - MIT Kerberos 5 ASN.1 decoding functions insecurely
deallocate memory (double-free)
The MIT Kerberos 5 library does not securely deallocate heap memory
when decoding ASN.1 structures, resulting in double-free
vulnerabilities. An unauthenticated, remote attacker could execute
arbitrary code on a KDC server, which could compromise an entire
Kerberos realm. An attacker may also be able to execute arbitrary code
on Kerberos clients, or cause a denial of service on KDCs or clients.
(Other resources: MITKRB5-SA-2004-002, CAN-2004-0642)
VU#866472 - MIT Kerberos 5 ASN.1 decoding function krb5_rd_cred()
insecurely deallocates memory (double-free)
The krb5_rd_cred() function in the MIT Kerberos 5 library does not
securely deallocate heap memory when decoding ASN.1 structures,
resulting in a double-free vulnerability. A remote, authenticated
attacker could execute arbitrary code or cause a denial of service on
any system running an application that calls krb5_rd_cred(). This
includes Kerberos application servers and other applications that
process Kerberos authentication via the MIT Kerberos 5 library,
Generic Security Services Application Programming Interface (GSSAPI),
and other libraries.
(Other resources: MITKRB5-SA-2004-002, CAN-2004-0643)
VU#350792 - MIT Kerberos krb524d insecurely deallocates memory
(double-free)
The MIT Kerberos krb524d daemon does not securely deallocate heap
memory when handling an error condition, resulting in a double-free
vulnerability. An unauthenticated, remote attacker could execute
arbitrary code on a system running krb524d, which in many cases is
also a KDC. The compromise of a KDC system can lead to the compromise
of an entire Kerberos realm. An attacker may also be able to cause a
denial of service on a system running krb524d.
(Other resources: MITKRB5-SA-2004-002, CAN-2004-0772)
VU#550464 - MIT Kerberos 5 ASN.1 decoding function asn1buf_skiptail()
does not properly terminate loop
The asn1buf_skiptail() function in the MIT Kerberos 5 library does not
properly terminate a loop, allowing an unauthenticated, remote
attacker to cause a denial of service in a KDC, application server, or
Kerberos client.
(Other resources: MITKRB5-SA-2004-003, CAN-2004-0644)
II. Impact
The impacts of these vulnerabilities vary, but an attacker may be able
to execute arbitrary code on KDCs, systems running krb524d (typically
also KDCs), application servers, applications that use Kerberos
libraries directly or via GSSAPI, and Kerberos clients. An attacker
could also cause a denial of service on any of these systems.
The most severe vulnerabilities could allow an unauthenticated, remote
attacker to execute arbitrary code on a KDC system. This could result
in the compromise of both the KDC and an entire Kerberos realm.
III. Solution
Apply a patch or upgrade
Check with your vendor(s) for patches or updates. For information
about a specific vendor, please see the systems affected sections in
the individual vulnerability notes or contact your vendor directly.
Alternatively, apply the appropriate source code patch(es) referenced
in MITKRB5-SA-2004-002 and MITKRB5-SA-2004-003 and recompile.
These vulnerabilities will be addressed in krb5-1.3.5.
Appendix A. References
* Vulnerability Note VU#795632 -
<http://www.kb.cert.org/vuls/id/795632>
* Vulnerability Note VU#866472 -
<http://www.kb.cert.org/vuls/id/866472>
* Vulnerability Note VU#350792 -
<http://www.kb.cert.org/vuls/id/350792>
* Vulnerability Note VU#550464 -
<http://www.kb.cert.org/vuls/id/550464>
* MIT krb5 Security Advisory 2004-002 -
<http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfre
e.txt>
* MIT krb5 Security Advisory 2004-003 -
<http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-as
n1.txt>
* Kerberos: The Network Authentication Protocol -
<http://web.mit.edu/kerberos/www/>
_______________________________________________________________________
Thanks to Tom Yu and the MIT Kerberos Development team for addressing
these vulnerabilities and coordinating with vendors. MIT credits the
following people: Will Fiveash, Joseph Galbraith, John Hawkinson, Marc
Horowitz, and Nico Williams.
_______________________________________________________________________
Feedback can be directed to the author: Art Manion
_______________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/techalerts/TA04-245A.html>
_______________________________________________________________________
Copyright 2004 Carnegie Mellon University. Terms of use
Terms of use: <http://www.us-cert.gov/legal.html>
_______________________________________________________________________
Revision History
September 3, 2004: Initial release
- ----------------------------------------------------------------------------------
For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via
EMail to: uniras@xxxxxxxxxxxx
Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749
Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts
- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of US-CERT for the information
contained in this Briefing.
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQCVAwUBQTxgY4pao72zK539AQFnAQQAgJSiPTw+8xiGiMZoUPmCfkX0jQgI3GwN
zIwGuyM9Bm4zLL2dsA6VzUOj870KAHATvnybFEVxN2Td5NLpVLehQvqnStLbqQIt
LHsZ06drLmNbzlc29yc/K1NAFekRXnbeDB37DE/zWRNCrKIAMKD9y8IxMo12UIC1
7NWHCBFjEg8=
=CDj2
-----END PGP SIGNATURE-----