U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Alert (TA07-093B)

MIT Kerberos Vulnerabilities

Original release date: April 03, 2007

Systems Affected

  • MIT Kerberos

Other products based on the GSS-API or the RPC libraries provided with MIT Kerberos may also be affected.

Overview

The MIT Kerberos 5 implementation contains several vulnerabilities. One of these vulnerabilities (VU#220816) could allow a remote, unauthenticated attacker to log in via telnet (23/tcp) with elevated privileges. The other vulnerabilities (VU#704024, VU#419344) could allow a remote, authenticated attacker to execute arbitrary code on a Key Distribution Center (KDC).

Description

There are three vulnerabilities that affect MIT Kerberos 5:

  • VU#220816 - MIT Kerberos 5 telnet daemon allows login as arbitrary user
    The telnet daemon included with the MIT Kerberos administration daemon contains a vulnerability that may allow a remote, unauthorized user to log on to the system with elevated privileges.

  • VU#704024 - MIT Kerberos 5 administration daemon stack overflow in krb5_klog_syslog()
    The MIT Kerberos administration daemon contains a vulnerability in the way the krb5_klog_syslog() function handles specially crafted strings that may allow a remote, authenticated attacker to execute arbitrary code. Other server applications that call krb5_klog_syslog() may also be affected. This vulnerability can be triggered by sending a specially crafted Kerberos message to a vulnerable system.

  • VU#419344 - MIT Kerberos 5 GSS-API library double-free vulnerability
    A vulnerability exists in the way that the GSS-API library provided with MIT krb5 handles messages with an invalid direction encoding, resulting in a double free which may allow a remote, authenticated attacker to execute arbitrary code. Other server applications that utilize the RPC library or the GSS-API library provided with MIT Kerberos may also be affected. This vulnerability can be triggered by sending a specially crafted Kerberos message to a vulnerable system.

Impact

In the case of VU#220816 a remote attacker could log on to the system via telnet and gain elevated privileges.

In the case of VU#704024 and VU#419344, a remote, authenticated attacker may be able to execute arbitrary code on KDCs, systems running kadmind, and application servers that use the RPC or GSS-API libraries. An attacker could also cause a denial of service on any of these systems. As a secondary impact, either one of these vulnerabilities could result in the compromise of both the KDC and an entire Kerberos realm.


Solution

Check with your vendors for patches or updates. For information about a vendor, please see the systems affected section in the individual vulnerability notes or contact your vendor directly.

Alternatively, apply the appropriate source code patches referenced in MITKRB5-SA-2007-001, MITKRB5-SA-2007-002, and MITKRB5-SA-2007-003 and recompile.

These vulnerabilities will also be addressed in krb5-1.6.1.


References


Revision History

  • April 03, 2007: Initial release

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top