7.9 - VU#365313

Executive Summary

Summary
Title	MIT Kerberos kadmind RPC library gssrpc__svcauth_unix() integer conversion error

Informations
Name	VU#365313	First vendor Publication	2007-06-26
Vendor	VU-CERT	Last vendor Modification	2007-08-08
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:A/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	7.9	Attack Range	Adjacent network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	5.5	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#365313

MIT Kerberos kadmind RPC library gssrpc__svcauth_unix() integer conversion error

Overview

The MIT Kerberos administration daemon (kadmind) contains an integer conversion error vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service.

I. Description

The gssrpc__svcauth_unix() function used by the Kerberos administration daemon contains an integer conversion error. This vulnerability may cause a stack buffer overflow that could allow a remote, authenticated user to execute arbitrary code. According to MIT krb5 Security Advisory MITKRB5-SA-2007-004:

The function gssrpc__svcauth_unix() in src/lib/rpc/svc_auth_unix.c stores an unsigned integer obtained from IXDR_GET_U_LONG into a signed integer variable "str_len". Subsequently, it checks that "str_len" is less than MAX_MACHINE_NAME, which will always be true of "str_len" is negative, which can happen when a large unsigned integer is converted to a signed integer. Once the length check succeeds, gssrpc__svcauth_unix() calls memmove() with a length of "str_len" with the target in a stack buffer.

This vulnerability is believed to be difficult to exploit because the memmove() implementation receives a very large number (a negative integer converted to a large unsigned value), which will almost certainly cause some sort of memory access fault prior to returning. This probably avoids any usage of the corrupted return address in the overwritten stack frame. Note that some (perhaps unlikely) memmove() implementations may call other procedures and thus may be vulnerable to corrupted return addresses.

Note that this issue affects all releases of MIT krb5 up to and including krb5-1.6.1. Third-party applications using the MIT krb5 RPC library or other RPC libraries derived from SunRPC may also be vulnerable. MIT has been provided with proof-of-concept exploit code that causes a denial of service, but it's not clear whether the exploit code is publicly available yet.

This vulnerability occurred as a result of failing to comply with rule INT31-C of the CERT C Programming Language Secure Coding Standard.

II. Impact

A remote, unauthenticated user may be able to execute arbitrary code on an affected system or cause the affected program to crash, resulting in a denial of service. Secondary impacts of code execution include complete compromise of the Kerberos key database.

III. Solution

Apply a patch

A patch can be obtained from MIT krb5 Security Advisory MITKRB5-SA-2007-004. MIT also states that this will be addressed in the upcoming krb5-1.6.2 and krb5-1.5.4 releases. Please check with your vendor for third-party product updates.

Systems Affected

Vendor	Status	Date Updated
Apple Computer, Inc.	Unknown	18-Jun-2007
AttachmateWRQ, Inc.	Unknown	18-Jun-2007
Conectiva Inc.	Unknown	18-Jun-2007
Cray Inc.	Unknown	18-Jun-2007
CyberSafe, Inc.	Not Vulnerable	18-Jun-2007
Debian GNU/Linux	Vulnerable	30-Jul-2007
EMC Corporation	Unknown	18-Jun-2007
Engarde Secure Linux	Unknown	18-Jun-2007
F5 Networks, Inc.	Unknown	18-Jun-2007
Fedora Project	Unknown	18-Jun-2007
FreeBSD, Inc.	Unknown	18-Jun-2007
Fujitsu	Unknown	18-Jun-2007
Gentoo Linux	Unknown	18-Jun-2007
Hewlett-Packard Company	Unknown	18-Jun-2007
Hitachi	Unknown	18-Jun-2007
IBM Corporation	Unknown	18-Jun-2007
IBM Corporation (zseries)	Unknown	18-Jun-2007
IBM eServer	Unknown	18-Jun-2007
Immunix Communications, Inc.	Unknown	18-Jun-2007
Ingrian Networks, Inc.	Unknown	18-Jun-2007
Juniper Networks, Inc.	Not Vulnerable	26-Jun-2007
KTH Kerberos Team	Unknown	18-Jun-2007
Mandriva, Inc.	Vulnerable	27-Jun-2007
Microsoft Corporation	Not Vulnerable	19-Jun-2007
MIT Kerberos Development Team	Unknown	13-Jun-2007
MontaVista Software, Inc.	Unknown	18-Jun-2007
NEC Corporation	Unknown	18-Jun-2007
NetBSD	Unknown	18-Jun-2007
Network Appliance, Inc.	Not Vulnerable	27-Jun-2007
Nokia	Unknown	18-Jun-2007
Novell, Inc.	Unknown	18-Jun-2007
Openwall GNU/*/Linux	Unknown	18-Jun-2007
QNX, Software Systems, Inc.	Unknown	18-Jun-2007
Red Hat, Inc.	Vulnerable	26-Jun-2007
Silicon Graphics, Inc.	Unknown	18-Jun-2007
Slackware Linux Inc.	Unknown	18-Jun-2007
Sony Corporation	Unknown	18-Jun-2007
Sun Microsystems, Inc.	Not Vulnerable	28-Jun-2007
SUSE Linux	Unknown	18-Jun-2007
The SCO Group	Unknown	18-Jun-2007
Trustix Secure Linux	Unknown	18-Jun-2007
Turbolinux	Unknown	18-Jun-2007
Ubuntu	Vulnerable	27-Jun-2007
Unisys	Unknown	18-Jun-2007
Wind River Systems, Inc.	Unknown	18-Jun-2007

References

https://www.securecoding.cert.org/confluence/display/seccode/INT31-C.+Ensure+that+integer+conversions+do+not+result+in+lost+or+misinterpreted+data
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt
http://www.ubuntu.com/usn/usn-477-1
http://www.mandriva.com/security/advisories?name=MDKSA-2007:137
http://secunia.com/advisories/25800/
http://secunia.com/advisories/26033/
http://docs.info.apple.com/article.html?artnum=306172

Credit

Thanks to MIT for reporting this vulnerability, who in turn credit Wei Wang of McAfee Avert Labs.

This document was written by Will Dormann.

Other Information

Date Public	06/26/2007
Date First Published	06/26/2007 02:59:11 PM
Date Last Updated	08/08/2007
CERT Advisory
CVE Name	CVE-2007-2443
Metric	5.40
Document Revision	12

Original Source

Url : http://www.kb.cert.org/vuls/id/365313

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:11277

Oval ID:	oval:org.mitre.oval:def:11277
Title:	Integer signedness error in the gssrpc__svcauth_unix function in svc_auth_unix.c in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a negative length value.
Description:	Integer signedness error in the gssrpc__svcauth_unix function in svc_auth_unix.c in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a negative length value.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2007-2443	Version:	5
Platform(s):	Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
OS Section: RHEL3, CentOS3 RHEL3 or CentOS3 The operating system installed on the system is Red Hat Enterprise Linux 3 AND CentOS Linux 3.x AND Configuration section krb5-workstation is earlier than 0:1.2.7-66 AND krb5 is earlier than 0:1.2.7-66 AND krb5-libs is earlier than 0:1.2.7-66 AND krb5-server is earlier than 0:1.2.7-66 AND krb5-devel is earlier than 0:1.2.7-66 OR OS Section: RHEL4, CentOS4, Oracle Linux 4 RHEL4, CentOS4 or Oracle Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 AND CentOS Linux 4.x AND Oracle Linux 4.x AND Configuration section krb5-workstation is earlier than 0:1.3.4-49 AND krb5 is earlier than 0:1.3.4-49 AND krb5-libs is earlier than 0:1.3.4-49 AND krb5-server is earlier than 0:1.3.4-49 AND krb5-devel is earlier than 0:1.3.4-49 OR OS Section: RHEL5, CentOS5, Oracle Linux 5 RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section krb5-workstation is earlier than 0:1.5-26 AND krb5 is earlier than 0:1.5-26 AND krb5-libs is earlier than 0:1.5-26 AND krb5-server is earlier than 0:1.5-26 AND krb5-devel is earlier than 0:1.5-26

Definition Id: oval:org.mitre.oval:def:7131

Oval ID:	oval:org.mitre.oval:def:7131
Title:	HP-UX Running Kerberos, Remote Denial of Service (DoS), Execution of Arbitrary Code
Description:	Integer signedness error in the gssrpc__svcauth_unix function in svc_auth_unix.c in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a negative length value.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2007-2443	Version:	11
Platform(s):	HP-UX 11	Product(s):
Definition Synopsis:
Criteria meets HP Security Bulletin HPSBUX02544 HP-UX B.11.31 AND filesets tests KRB5-Client.KRB5-PRG is installed AND KRB5-Client.KRB5-64SLIB is installed AND KRB5-Client.KRB5-IA32SLIB is installed AND KRB5-Client.KRB5-IA64SLIB is installed AND KRB5-Client.KRB5-RUN is installed AND KRB5-Client.KRB5-SHLIB is installed AND KRB5-Client.KRB5-64SLIB is installed AND NOT Patch PHSS_41168 is installed OR Criteria meets HP Security Bulletin HPSBUX02544 HP Release B.11.23 AND filesets tests KRB5-Client.KRB5-PRG is installed AND KRB5-Client.KRB5-64SLIB is installed AND KRB5-Client.KRB5-IA32SLIB is installed AND KRB5-Client.KRB5-IA64SLIB is installed AND KRB5-Client.KRB5-RUN is installed AND KRB5-Client.KRB5-SHLIB is installed AND KRB5-Client.KRB5-64SLIB is installed AND NOT Patch PHSS_41167 is installed OR Criteria meets HP Security Bulletin HPSBUX02544 HP Release B.11.11 AND filesets tests KRB5-Client.KRB5-SHLIB is installed AND KRB5-Client.KRB5-PRG is installed AND KRB5-Client.KRB5-RUN is installed AND KRB5-Client.KRB5-64SLIB is installed AND NOT Patch PHSS_41166 is installed OR Criteria meets HP Security Bulletin HPSBUX02544 HP Release B.11.23 AND filesets tests krb5client.KRB5-64SLIB-A version is less than D.1.6.2.08 AND krb5client.KRB5-64SLIB-A version is less than D.1.6.2.08 AND krb5client.KRB5-PRG-A version is less than D.1.6.2.08 AND krb5client.KRB5-RUN-A version is less than D.1.6.2.08 AND krb5client.KRB5-SHLIB-A version is less than D.1.6.2.08 AND krb5client.KRB5IA32SLIB-A version is less than D.1.6.2.08 AND krb5client.KRB5IA64SLIB-A version is less than D.1.6.2.08 OR Criteria meets HP Security Bulletin HPSBUX02544 HP Release B.11.11 AND filesets tests krb5client.KRB5-64SLIB-A version is less than C.1.3.5.10 AND krb5client.KRB5-PRG-A version is less than C.1.3.5.10 AND krb5client.KRB5-RUN-A version is less than C.1.3.5.10 AND krb5client.KRB5-SHLIB-A version is less than C.1.3.5.10 OR Criteria meets HP Security Bulletin HPSBUX02544 HP-UX B.11.31 AND filesets tests krb5client.KRB5-64SLIB-A version is less than E.1.6.2.08 AND krb5client.KRB5-PRG-A version is less than E.1.6.2.08 AND krb5client.KRB5-RUN-A version is less than E.1.6.2.08 AND krb5client.KRB5-SHLIB-A version is less than E.1.6.2.08 AND krb5client.KRB5IA32SLIB-A version is less than E.1.6.2.08 AND krb5client.KRB5IA64SLIB-A version is less than E.1.6.2.08

CPE : Common Platform Enumeration

Type	Description	Count
Application	Mit Kerberos 5 cpe:2.3:a:mit:kerberos_5:1.6.1:::::::* cpe:2.3:a:mit:kerberos_5:1.6:::::::* cpe:2.3:a:mit:kerberos_5:1.5.3:::::::* cpe:2.3:a:mit:kerberos_5:1.5.2:::::::* cpe:2.3:a:mit:kerberos_5:1.5.1:::::::* cpe:2.3:a:mit:kerberos_5:1.5:::::::* cpe:2.3:a:mit:kerberos_5:1.4.4:::::::* cpe:2.3:a:mit:kerberos_5:1.4.3:::::::* cpe:2.3:a:mit:kerberos_5:1.4.2:::::::* cpe:2.3:a:mit:kerberos_5:1.4.1:::::::* cpe:2.3:a:mit:kerberos_5:1.4:::::::* cpe:2.3:a:mit:kerberos_5:1.3.6:::::::* cpe:2.3:a:mit:kerberos_5:1.3.5:::::::* cpe:2.3:a:mit:kerberos_5:1.3.4:::::::* cpe:2.3:a:mit:kerberos_5:1.3.3:::::::* cpe:2.3:a:mit:kerberos_5:1.3.2:::::::* cpe:2.3:a:mit:kerberos_5:1.3.1:::::::* cpe:2.3:a:mit:kerberos_5:1.3:alpha1:::::: cpe:2.3:a:mit:kerberos_5:1.3:-:::::: cpe:2.3:a:mit:kerberos_5:1.2.8:::::::* cpe:2.3:a:mit:kerberos_5:1.2.7:::::::* cpe:2.3:a:mit:kerberos_5:1.2.6:::::::* cpe:2.3:a:mit:kerberos_5:1.2.5:::::::* cpe:2.3:a:mit:kerberos_5:1.2.4:::::::* cpe:2.3:a:mit:kerberos_5:1.2.3:::::::* cpe:2.3:a:mit:kerberos_5:1.2.2:::::::* cpe:2.3:a:mit:kerberos_5:1.2.1:::::::* cpe:2.3:a:mit:kerberos_5:1.2:beta2:::::: cpe:2.3:a:mit:kerberos_5:1.2:beta1:::::: cpe:2.3:a:mit:kerberos_5:1.2:-:::::: cpe:2.3:a:mit:kerberos_5:1.1.1:::::::* cpe:2.3:a:mit:kerberos_5:1.1:::::::* cpe:2.3:a:mit:kerberos_5:1.0.6:::::::* cpe:2.3:a:mit:kerberos_5:1.0:-:::::: cpe:2.3:a:mit:kerberos_5:::::::: cpe:2.3:a:mit:kerberos_5:-:::::::*	36
Os	Canonical Ubuntu Linux cpe:2.3:o:canonical:ubuntu_linux:7.04:::::::* cpe:2.3:o:canonical:ubuntu_linux:6.10:::::::* cpe:2.3:o:canonical:ubuntu_linux:6.06:::::::*	3
Os	Debian Debian Linux cpe:2.3:o:debian:debian_linux:4.0:::::::* cpe:2.3:o:debian:debian_linux:3.1:::::::*	2

OpenVAS Exploits

Date	Description
2009-11-17	Name : Mac OS X Version File : nvt/macosx_version.nasl
2009-04-09	Name : Mandriva Update for krb5 MDKSA-2007:137 (krb5) File : nvt/gb_mandriva_MDKSA_2007_137.nasl
2009-03-23	Name : Ubuntu Update for krb5 vulnerabilities USN-477-1 File : nvt/gb_ubuntu_USN_477_1.nasl
2009-02-27	Name : Fedora Update for krb5 FEDORA-2007-0740 File : nvt/gb_fedora_2007_0740_krb5_fc7.nasl
2009-02-27	Name : Fedora Update for krb5 FEDORA-2007-2017 File : nvt/gb_fedora_2007_2017_krb5_fc7.nasl
2009-02-27	Name : Fedora Update for krb5 FEDORA-2007-2066 File : nvt/gb_fedora_2007_2066_krb5_fc7.nasl
2009-02-27	Name : Fedora Update for krb5 FEDORA-2007-620 File : nvt/gb_fedora_2007_620_krb5_fc5.nasl
2009-02-27	Name : Fedora Update for krb5 FEDORA-2007-621 File : nvt/gb_fedora_2007_621_krb5_fc6.nasl
2009-02-16	Name : Fedora Update for krb5 FEDORA-2008-2637 File : nvt/gb_fedora_2008_2637_krb5_fc7.nasl
2009-01-28	Name : SuSE Update for krb5 SUSE-SA:2007:038 File : nvt/gb_suse_2007_038.nasl
2008-09-24	Name : Gentoo Security Advisory GLSA 200707-11 (mit-krb5) File : nvt/glsa_200707_11.nasl
2008-01-17	Name : Debian Security Advisory DSA 1323-1 (krb5) File : nvt/deb_1323_1.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
36597	MIT Kerberos 5 RPC Library gssrpc__svcauth_unix Function Remote Code Execution

Snort® IPS/IDS

Date	Description
2014-01-10	MIT Kerberos kadmind auth buffer overflow attempt RuleID : 12708 - Revision : 7 - Type : PROTOCOL-RPC
2014-01-10	MIT Kerberos kadmind RPC Library unix authentication buffer overflow attempt RuleID : 12046 - Revision : 10 - Type : PROTOCOL-RPC

Nessus® Vulnerability Scanner

Date	Description
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0562.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0384.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20070626_krb5_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20070626_krb5_on_SL3.nasl - Type : ACT_GATHER_INFO
2010-06-28	Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_41166.nasl - Type : ACT_GATHER_INFO
2010-06-28	Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_41167.nasl - Type : ACT_GATHER_INFO
2010-06-28	Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_41168.nasl - Type : ACT_GATHER_INFO
2009-07-27	Name : The remote VMware ESX host is missing one or more security-related patches. File : vmware_VMSA-2007-0006.nasl - Type : ACT_GATHER_INFO
2007-12-13	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_krb5-3821.nasl - Type : ACT_GATHER_INFO
2007-11-10	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-477-1.nasl - Type : ACT_GATHER_INFO
2007-11-06	Name : The remote Fedora host is missing a security update. File : fedora_2007-0740.nasl - Type : ACT_GATHER_INFO
2007-10-17	Name : The remote openSUSE host is missing a security update. File : suse_krb5-3820.nasl - Type : ACT_GATHER_INFO
2007-08-02	Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_SecUpd2007-007.nasl - Type : ACT_GATHER_INFO
2007-07-27	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200707-11.nasl - Type : ACT_GATHER_INFO
2007-07-01	Name : The remote Debian host is missing a security-related update. File : debian_DSA-1323.nasl - Type : ACT_GATHER_INFO
2007-06-27	Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-137.nasl - Type : ACT_GATHER_INFO
2007-06-27	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0384.nasl - Type : ACT_GATHER_INFO
2007-06-27	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0562.nasl - Type : ACT_GATHER_INFO
2007-06-27	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0562.nasl - Type : ACT_GATHER_INFO
2007-06-27	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0384.nasl - Type : ACT_GATHER_INFO

Global Informations

Type	Count
Oval ID(s)	2
CPE ID(s)	41
osvdb(s)	1
Openvas Exploit(s)	12
Snort® Rule(s)	2
Nessus® Exploit(s)	20

	Related
9.3	USN-477-1
8.3	CVE-2007-2443
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)