Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title MIT Kerberos krb4-enabled KDC contains multiple vulnerabilities
Informations
Name VU#895609 First vendor Publication 2008-03-18
Vendor VU-CERT Last vendor Modification 2008-03-19
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#895609

MIT Kerberos krb4-enabled KDC contains multiple vulnerabilities

Overview

Vulnerabilities in the MIT Kerberos Key Distribution Center server could allow a remote attacker to compromise the key database, gain access to sensitive information, or cause a denial of service.

I. Description

Several vulnerabilities exist in the Authentication Service and Key Distribution Center server (krb5kdc) included in the MIT krb5 Kerberos implementation. In one case, the use of a null or dangling pointer in the KDC can result in a crash or double-free, and may leak portions of process memory to an attacker. In another case, uninitialized stack values cause reuse of a small window of previous stack values to be interpreted as message content. Some of this content may be returned to the attacker as part of an error response.

These vulnerabilities are only exposed if Kerberos 4 support is enabled. MIT notes that by default, Kerberos 4 support is compiled in but not enabled in recent versions of the software. MIT also notes that no other client or application server programs are affected.

II. Impact

An unauthenticated remote attacker may cause a krb4-enabled KDC server to crash, expose information (potentially including secret key data), or execute arbitrary code with the privileges of the krb5kdc. Secondary impacts include compromise of the Kerberos key database and denial of service to clients attempting to authenticate in the affected Kerberos realm.

III. Solution

Upgrade or apply a patch from the vendor


Patches have been released to address these issues. Please see the Systems Affected section of this document for more details.

Systems Affected

VendorStatusDate Updated
3com, Inc.Unknown6-Mar-2008
AlcatelUnknown6-Mar-2008
Apple Computer, Inc.Vulnerable18-Mar-2008
AT&TUnknown6-Mar-2008
Avaya, Inc.Unknown6-Mar-2008
Avici Systems, Inc.Unknown6-Mar-2008
Borderware TechnologiesUnknown6-Mar-2008
Check Point Software TechnologiesUnknown6-Mar-2008
Cisco Systems, Inc.Not Vulnerable10-Mar-2008
ClavisterUnknown6-Mar-2008
Computer AssociatesNot Vulnerable18-Mar-2008
Computer Associates eTrust Security ManagementUnknown6-Mar-2008
Conectiva Inc.Unknown6-Mar-2008
Cray Inc.Unknown6-Mar-2008
D-Link Systems, Inc.Unknown6-Mar-2008
Data Connection, Ltd.Unknown6-Mar-2008
Debian GNU/LinuxUnknown6-Mar-2008
EMC CorporationUnknown6-Mar-2008
Engarde Secure LinuxUnknown6-Mar-2008
Enterasys NetworksUnknown6-Mar-2008
EricssonUnknown6-Mar-2008
eSoft, Inc.Unknown6-Mar-2008
Extreme NetworksUnknown6-Mar-2008
F5 Networks, Inc.Unknown6-Mar-2008
Fedora ProjectUnknown6-Mar-2008
Force10 Networks, Inc.Unknown6-Mar-2008
Fortinet, Inc.Unknown6-Mar-2008
Foundry Networks, Inc.Unknown6-Mar-2008
FreeBSD, Inc.Unknown6-Mar-2008
FujitsuUnknown6-Mar-2008
Global Technology AssociatesUnknown6-Mar-2008
Hewlett-Packard CompanyUnknown6-Mar-2008
HitachiUnknown6-Mar-2008
HyperchipUnknown6-Mar-2008
IBM CorporationUnknown6-Mar-2008
IBM Corporation (zseries)Unknown6-Mar-2008
IBM eServerUnknown6-Mar-2008
Ingrian Networks, Inc.Unknown6-Mar-2008
Intel CorporationNot Vulnerable10-Mar-2008
Internet Security Systems, Inc.Unknown6-Mar-2008
IntotoNot Vulnerable10-Mar-2008
IP Infusion, Inc.Unknown6-Mar-2008
Juniper Networks, Inc.Unknown6-Mar-2008
Linksys (A division of Cisco Systems)Unknown6-Mar-2008
Lucent TechnologiesUnknown6-Mar-2008
Luminous NetworksUnknown6-Mar-2008
Mandriva, Inc.Unknown6-Mar-2008
McAfeeUnknown6-Mar-2008
Microsoft CorporationUnknown6-Mar-2008
MIT Kerberos Development TeamVulnerable18-Mar-2008
MontaVista Software, Inc.Unknown6-Mar-2008
Multinet (owned Process Software Corporation)Unknown6-Mar-2008
Multitech, Inc.Unknown6-Mar-2008
NEC CorporationUnknown6-Mar-2008
NetBSDUnknown6-Mar-2008
Network Appliance, Inc.Unknown6-Mar-2008
NextHop Technologies, Inc.Unknown6-Mar-2008
Nortel Networks, Inc.Unknown6-Mar-2008
Novell, Inc.Unknown6-Mar-2008
Openwall GNU/*/LinuxUnknown6-Mar-2008
QNX, Software Systems, Inc.Unknown6-Mar-2008
QuaggaUnknown6-Mar-2008
Red Hat, Inc.Unknown6-Mar-2008
Redback Networks, Inc.Unknown6-Mar-2008
Riverstone Networks, Inc.Unknown6-Mar-2008
Secure Computing Network Security DivisionNot Vulnerable10-Mar-2008
Silicon Graphics, Inc.Unknown6-Mar-2008
Slackware Linux Inc.Unknown6-Mar-2008
Sony CorporationUnknown6-Mar-2008
StonesoftUnknown6-Mar-2008
Sun Microsystems, Inc.Not Vulnerable18-Mar-2008
SUSE LinuxUnknown6-Mar-2008
Symantec, Inc.Unknown6-Mar-2008
The SCO GroupUnknown6-Mar-2008
TippingPoint, Technologies, Inc.Not Vulnerable18-Mar-2008
Trustix Secure LinuxUnknown6-Mar-2008
TurbolinuxUnknown6-Mar-2008
UbuntuVulnerable19-Mar-2008
UnisysUnknown6-Mar-2008
Watchguard Technologies, Inc.Unknown6-Mar-2008
Wind River Systems, Inc.Unknown6-Mar-2008
ZyXELUnknown6-Mar-2008

References


http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-001.txt

Credit

Thanks to Ken Raeburn of the MIT Kerberos Team for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

Date Public03/18/2008
Date First Published03/18/2008 09:56:56 PM
Date Last Updated03/19/2008
CERT Advisory 
CVE NameCVE-2008-0062; CVE-2008-0063
US-CERT Technical Alerts 
Metric10.10
Document Revision10

Original Source

Url : http://www.kb.cert.org/vuls/id/895609

CAPEC : Common Attack Pattern Enumeration & Classification

Id Name
CAPEC-26 Leveraging Race Conditions
CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
CAPEC-172 Time and State Attacks

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-189 Numeric Errors (CWE/SANS Top 25)
50 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:8916
 
Oval ID: oval:org.mitre.oval:def:8916
Title: The Kerberos 4 support in KDC in MIT Kerberos 5 (krb5kdc) does not properly clear the unused portion of a buffer when generating an error message, which might allow remote attackers to obtain sensitive information, aka "Uninitialized stack values."
Description: The Kerberos 4 support in KDC in MIT Kerberos 5 (krb5kdc) does not properly clear the unused portion of a buffer when generating an error message, which might allow remote attackers to obtain sensitive information, aka "Uninitialized stack values."
Family: unix Class: vulnerability
Reference(s): CVE-2008-0063
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9496
 
Oval ID: oval:org.mitre.oval:def:9496
Title: KDC in MIT Kerberos 5 (krb5kdc) does not set a global variable for some krb4 message types, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted messages that trigger a NULL pointer dereference or double-free.
Description: KDC in MIT Kerberos 5 (krb5kdc) does not set a global variable for some krb4 message types, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted messages that trigger a NULL pointer dereference or double-free.
Family: unix Class: vulnerability
Reference(s): CVE-2008-0062
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 38

OpenVAS Exploits

Date Description
2009-11-17 Name : Mac OS X Version
File : nvt/macosx_version.nasl
2009-04-09 Name : Mandriva Update for krb5 MDVSA-2008:070 (krb5)
File : nvt/gb_mandriva_MDVSA_2008_070.nasl
2009-04-09 Name : Mandriva Update for krb5 MDVSA-2008:069 (krb5)
File : nvt/gb_mandriva_MDVSA_2008_069.nasl
2009-03-23 Name : Ubuntu Update for krb5 vulnerabilities USN-587-1
File : nvt/gb_ubuntu_USN_587_1.nasl
2009-03-06 Name : RedHat Update for krb5 RHSA-2008:0181-01
File : nvt/gb_RHSA-2008_0181-01_krb5.nasl
2009-03-06 Name : RedHat Update for krb5 RHSA-2008:0164-01
File : nvt/gb_RHSA-2008_0164-01_krb5.nasl
2009-03-06 Name : RedHat Update for krb5 RHSA-2008:0180-01
File : nvt/gb_RHSA-2008_0180-01_krb5.nasl
2009-02-27 Name : CentOS Update for krb5-devel CESA-2008:0180 centos4 i386
File : nvt/gb_CESA-2008_0180_krb5-devel_centos4_i386.nasl
2009-02-27 Name : CentOS Update for krb5-devel CESA-2008:0181 centos3 x86_64
File : nvt/gb_CESA-2008_0181_krb5-devel_centos3_x86_64.nasl
2009-02-27 Name : CentOS Update for krb5-devel CESA-2008:0181 centos3 i386
File : nvt/gb_CESA-2008_0181_krb5-devel_centos3_i386.nasl
2009-02-27 Name : CentOS Update for krb5 CESA-2008:0181-01 centos2 i386
File : nvt/gb_CESA-2008_0181-01_krb5_centos2_i386.nasl
2009-02-27 Name : CentOS Update for krb5-devel CESA-2008:0180 centos4 x86_64
File : nvt/gb_CESA-2008_0180_krb5-devel_centos4_x86_64.nasl
2009-02-16 Name : Fedora Update for krb5 FEDORA-2008-2637
File : nvt/gb_fedora_2008_2637_krb5_fc7.nasl
2009-02-16 Name : Fedora Update for krb5 FEDORA-2008-2647
File : nvt/gb_fedora_2008_2647_krb5_fc8.nasl
2009-01-23 Name : SuSE Update for krb5 SUSE-SA:2008:016
File : nvt/gb_suse_2008_016.nasl
2008-09-24 Name : Gentoo Security Advisory GLSA 200803-31 (mit-krb5)
File : nvt/glsa_200803_31.nasl
2008-06-17 Name : Kerberos < 1.6.4 vulnerability
File : nvt/kerberos_CB-A08-0044.nasl
2008-03-19 Name : Debian Security Advisory DSA 1524-1 (krb5)
File : nvt/deb_1524_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
43342 MIT Kerberos 5 KDC (krb5kdc) Error Response Information Disclosure

43341 MIT Kerberos 5 KDC (krb5kdc) Arbitrary Memory Disclosure

Nessus® Vulnerability Scanner

Date Description
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2008-0181.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2008-0180.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2008-0164.nasl - Type : ACT_GATHER_INFO
2013-01-24 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2008-0182.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20080318_krb5_on_SL3_x.nasl - Type : ACT_GATHER_INFO
2010-01-06 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2008-0164.nasl - Type : ACT_GATHER_INFO
2009-07-27 Name : The remote VMware ESXi / ESX host is missing one or more security-related pat...
File : vmware_VMSA-2008-0009.nasl - Type : ACT_GATHER_INFO
2009-04-23 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2008-069.nasl - Type : ACT_GATHER_INFO
2009-04-23 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2008-070.nasl - Type : ACT_GATHER_INFO
2008-03-26 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200803-31.nasl - Type : ACT_GATHER_INFO
2008-03-26 Name : The remote Fedora host is missing a security update.
File : fedora_2008-2647.nasl - Type : ACT_GATHER_INFO
2008-03-26 Name : The remote Fedora host is missing a security update.
File : fedora_2008-2637.nasl - Type : ACT_GATHER_INFO
2008-03-21 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1524.nasl - Type : ACT_GATHER_INFO
2008-03-21 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2008-0180.nasl - Type : ACT_GATHER_INFO
2008-03-19 Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_SecUpd2008-002.nasl - Type : ACT_GATHER_INFO
2008-03-19 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2008-0164.nasl - Type : ACT_GATHER_INFO
2008-03-19 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2008-0180.nasl - Type : ACT_GATHER_INFO
2008-03-19 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2008-0181.nasl - Type : ACT_GATHER_INFO
2008-03-19 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2008-0181.nasl - Type : ACT_GATHER_INFO
2008-03-19 Name : The remote openSUSE host is missing a security update.
File : suse_krb5-5081.nasl - Type : ACT_GATHER_INFO
2008-03-19 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_krb5-5082.nasl - Type : ACT_GATHER_INFO
2008-03-19 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-587-1.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2013-05-11 00:57:27
  • Multiple Updates