MIT Kerberos Vulnerabilities

• MIT Kerberos

Other products based on the GSS-API or the RPC libraries provided with MIT Kerberos may also be affected.

The MIT Kerberos 5 implementation contains several vulnerabilities. One of these vulnerabilities (VU#220816) could allow a remote, unauthenticated attacker to log in via telnet (23/tcp) with elevated privileges. The other vulnerabilities (VU#704024, VU#419344) could allow a remote, authenticated attacker to execute arbitrary code on a Key Distribution Center (KDC).

There are three vulnerabilities that affect MIT Kerberos 5:

• VU#220816 - MIT Kerberos 5 telnet daemon allows login as arbitrary user
  
  
  The telnet daemon included with the MIT Kerberos administration daemon contains a vulnerability that may allow a remote, unauthorized user to log on to the system with elevated privileges.




• VU#704024 - MIT Kerberos 5 administration daemon stack overflow in krb5_klog_syslog()
  
  
  The MIT Kerberos administration daemon contains a vulnerability in the way the krb5_klog_syslog() function handles specially crafted strings that may allow a remote, authenticated attacker to execute arbitrary code. Other server applications that call krb5_klog_syslog() may also be affected. This vulnerability can be triggered by sending a specially crafted Kerberos message to a vulnerable system.




• VU#419344 - MIT Kerberos 5 GSS-API library double-free vulnerability
  
  
  A vulnerability exists in the way that the GSS-API library provided with MIT krb5 handles messages with an invalid direction encoding, resulting in a double free which may allow a remote, authenticated attacker to execute arbitrary code. Other server applications that utilize the RPC library or the GSS-API library provided with MIT Kerberos may also be affected. This vulnerability can be triggered by sending a specially crafted Kerberos message to a vulnerable system.

Impact

In the case of VU#220816 a remote attacker could log on to the system via telnet and gain elevated privileges.

In the case of VU#704024 and VU#419344, a remote, authenticated attacker may be able to execute arbitrary code on KDCs, systems running kadmind, and application servers that use the RPC or GSS-API libraries. An attacker could also cause a denial of service on any of these systems. As a secondary impact, either one of these vulnerabilities could result in the compromise of both the KDC and an entire Kerberos realm.

Solution

Check with your vendors for patches or updates. For information about a vendor, please see the systems affected section in the individual vulnerability notes or contact your vendor directly.




Alternatively, apply the appropriate source code patches referenced in MITKRB5-SA-2007-001, MITKRB5-SA-2007-002, and MITKRB5-SA-2007-003 and recompile.




These vulnerabilities will also be addressed in krb5-1.6.1.

References

• US-CERT Vulnerability Note VU#220816 - http://www.kb.cert.org/vuls/id/220816
• US-CERT Vulnerability Note VU#704024 - http://www.kb.cert.org/vuls/id/704024
• US-CERT Vulnerability Note VU#419344 - http://www.kb.cert.org/vuls/id/419344
• MIT krb5 Security Advisory 2007-001 - http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-001-telnetd.txt
• MIT krb5 Security Advisory 2007-002 - http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-002-syslog.txt
• MIT krb5 Security Advisory 2007-003 - http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-003.txt

Revision History

• April 03, 2007: Initial release