[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
UNIRAS Brief - 497/04 - Two Sun Alert Notifications
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------------------
UNIRAS (UK Govt CERT) Briefing Notice - 497/04 dated 13.09.04 Time: 11:05
UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ----------------------------------------------------------------------------------
UNIRAS material is also available from its website at www.uniras.gov.uk and
Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------
Title
=====
Two Sun Alert Notifications:
1. The in.named(1M) Process May Die Upon Receiving Dynamic Updates.
2. Security Vulnerabilities in the Kerberos Key Distribution Center
(KDC) Daemon and Kerberos V5 Libraries.
Detail
======
1. A remote privileged user may be able to create a denial of the Domain
Name System (DNS) service by killing the in.named(1M) daemon. As a result,
applications, systems and devices relying on DNS may fail.
2. Multiple vulnerabilities in the Kerberos Key Distribution Center
(KDC) Daemon and Kerberos V5 Libraries.
1. ESB-2004.0565 -- Sun Alert Notification 57614
The in.named(1M) Process May Die Upon Receiving Dynamic Updates
13 September 2004
Product: in.named
Publisher: Sun Microsystems
Operating System: Solaris 8
Platform: IA-32
SPARC
Impact: Denial of Service
Access: Remote/Unauthenticated
- - --------------------------BEGIN INCLUDED TEXT--------------------
DOCUMENT ID: 57614
SYNOPSIS: The in.named(1M) Process May Die Upon Receiving Dynamic
Updates
DETAIL DESCRIPTION:
Sun(sm) Alert Notification
* Sun Alert ID: 57614
* Synopsis: The in.named(1M) Process May Die Upon Receiving Dynamic
Updates
* Category: Security
* Product: Solaris
* BugIDs: 4879822
* Avoidance: Workaround, Patch
* State: Resolved
* Date Released: 03-Sep-2004
* Date Closed: 03-Sep-2004
* Date Modified:
1. Impact
A remote privileged user may be able to create a denial of the Domain
Name System (DNS) service by killing the in.named(1M) daemon. As a
result, applications, systems and devices relying on DNS may fail.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Solaris 8 without patch 109326-16
x86 Platform
* Solaris 8 without patch 109327-16
Note: Solaris 7 and Solaris 9 are not affected by this issue.
The described issue only occurs on systems configured as an Internet
DNS server. A system is configured to be a DNS server if the
configuration file "/etc/named.conf" (named.conf(4)) exists.
3. Symptoms
If the described issue occurs, the in.named(1M) process is no longer
running. To determine if the in.named(1M) process is running, use the
pgrep(1) command as shown:
$ pgrep in.named || echo "in.named process NOT found!"
Messages may be logged to syslog(3c) with a severity of "LOG_NOTICE"
whose content starts with the following:
"unapproved update from"
SOLUTION SUMMARY:
4. Relief/Workaround
To work around the described issue, restart in.named(1M) using the
following command as root user:
# pgrep in.named || /usr/sbin/in.named
The following simple Bourne shell script will check and restart
in.named(1M) as necessary:
# while pgrep in.named || /usr/sbin/in.named; do sleep 10; done
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Solaris 8 with patch 109326-16 or later
x86 Platform
* Solaris 8 with patch 109327-16 or later
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
- - --------------------------END INCLUDED TEXT--------------------
2.
ESB-2004.0566 -- Sun Alert Notification 57631
Security Vulnerabilities in the Kerberos Key Distribution
Center (KDC) Daemon and Kerberos V5 Libraries
13 September 2004
Product: Kerberos V5
Solaris Enterprise Authentication Mechanism 1.0.2
Publisher: Sun Microsystems
Operating System: Solaris 9
Platform: IA-32
SPARC
Impact: Root Compromise
Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CAN-2004-0644 CAN-2004-0643 CAN-2004-0642
Ref: AL-2004.026
ESB-2004.0556
ESB-2004.0551
- - --------------------------BEGIN INCLUDED TEXT--------------------
DOCUMENT ID: 57631
SYNOPSIS: Security Vulnerabilities in the Kerberos Key Distribution
Center (KDC) Daemon and Kerberos V5 Libraries
DETAIL DESCRIPTION:
Sun(sm) Alert Notification
* Sun Alert ID: 57631
* Synopsis: Security Vulnerabilities in the Kerberos Key
Distribution Center (KDC) Daemon and Kerberos V5 Libraries
* Category: Security
* Product: Solaris
* BugIDs: 4865664, 5063407
* Avoidance: Patch
* State: Resolved
* Date Released: 31-Aug-2004, 01-Sep-2004
* Date Closed: 01-Sep-2004
* Date Modified: 01-Sep-2004
1. Impact
1. An unprivileged (either authenticated or unauthenticated) remote
user may be able to execute arbitrary code with "root" privileges on
Kerberos Key Distribution Center (KDC) systems and thus compromise an
entire Kerberos realm.
2. An unprivileged authenticated local or remote user may be able to
execute arbitrary code with root privileges on Kerberos enabled
systems due to double free vulnerabilities in the Kerberos V5
libraries.
3. An unprivileged (either authenticated or unauthenticated) remote
user may be able to cause the KDC daemon (krb5dkc(1M)) or a Kerberos
application to hang.
4. A privileged remote user who impersonates a legitimate KDC or
Kerberos application server may be able to execute arbitrary code with
"root" privileges on a Kerberos client while that client is
authenticating.
These issues are described in the MIT krb5 Security Advisories:
MIT krb5 Security Advisory 2004-002 at
[1]http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.
txt
MIT krb5 Security Advisory 2004-003 at
[2]http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-003-asn1.txt
These issues are also referenced in:
CAN-2004-0642 at
[3]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0642
CAN-2004-0643 at
[4]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0643
CAN-2004-0644 at
[5]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0644
and CERT Vulnerability Notes:
VU#550464 at [6]http://www.kb.cert.org/vuls/id/550464
VU#866472 at [7]http://www.kb.cert.org/vuls/id/866472
VU#795632 at [8]http://www.kb.cert.org/vuls/id/795632
2. Contributing Factors
These issues can occur in the following releases:
SPARC Platform
* Solaris 9 without patch 112908-15
x86 Platform
* Solaris 9 without patch 115168-05
Notes:
1. Systems running Solaris Enterprise Authentication Mechanism (SEAM)
1.0.2 for Solaris 9 are impacted by this issue as SEAM 1.0.2 uses the
affected Kerberos libraries delivered in Solaris 9.
2. Solaris 8 and SEAM 1.0 (for Solaris 7) and SEAM 1.0.1 (for Solaris
8) are not impacted by this issue.
3. Only systems configured to utilize Kerberos are affected by these
issues. To determine if a system is configured to utilize Kerberos,
run the following command:
$ grep default_realm /etc/krb5/krb5.conf | grep -v ___default_realm___
If the command returns no output or the "krb5.conf" file is not found,
then the system is not configured for Kerberos.
4. Two of the listed impacts relate to the Kerberos Key Distribution
Center (KDC). Systems are only vulnerable to these two issues if the
Kerberos configured system has been configured as a KDC host. To check
to see if the KDC daemon (see krb5kdc(1M)) is running, run the
following command:
$ pgrep krb5kdc || echo "krb5kdc(1M) daemon is NOT running"
If this returns a process ID, then the system is configured as a KDC
host. If this returns the message "krb5kdc(1M) daemon is NOT running",
then KDC is not running.
3. Symptoms
"Kerberized" applications or services (such as the SEAM applications
shipped in "/usr/krb5/bin" and "/usr/krb5/lib") may hang and stop
responding to requests.
There are no reliable symptoms that would indicate the described
issues have been exploited to execute arbitrary commands as "root" on
a Kerberos host.
SOLUTION SUMMARY:
4. Relief/Workaround
There is no workaround for this issue. Please see the "Resolution"
section below.
5. Resolution
This issue is adressed in the following releases:
SPARC Platform
* Solaris 9 with patch 112908-15 or later
x86 Platform
* Solaris 9 with patch 115168-05 or later
Change History
01-Sep-2004:
* Resolution patches released, re-release as Resolved.
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
References
1. http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt
2. http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-003-asn1.txt
3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0642
4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0643
5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0644
6. http://www.kb.cert.org/vuls/550464
7. http://www.kb.cert.org/vuls/866472
8. http://www.kb.cert.org/vuls/795632
- ----------------------------------------------------------------------------------
For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via
EMail to: uniras@xxxxxxxxxxxx
Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749
Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts
- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Sun for the information
contained in this Briefing.
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQCVAwUBQUVxKYpao72zK539AQFHFwQAhkWgwNrmIZ18Ap1zqZyHsru7ICtrFyqr
/EBoVh4rIzNA3afngNi9rJesLxehxwrowpap1h+gHNhVchX9sCMyN/ewFjRXgQ6U
+zPAzri1xM/+NgFqM+7faCns4ZOU6C1vinTfGeMDGsaM6vIu2jNpDFWGy1kyjnUr
xN0X2BA9eRY=
=6UBf
-----END PGP SIGNATURE-----