__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Multiple Vulnerabilities in Old Releases of MIT Kerberos [MIT krb5 Security Advisory 2003-001] February 3, 2003 19:00 GMT Number n-037 ______________________________________________________________________________ PROBLEM: Multiple vulnerabilities have been found in MIT Kerberos 5 releases prior to release 1.2.5. The vulnerabilities range from crashing the KDC system to gaining access to the system and database. PLATFORM: MIT Kerberos 5 releases prior to release 1.2.5 DAMAGE: Remote user can crash KDC, and may be able to forge non-local identities and compromise the KDC or application servers. SOLUTION: Update to 1.2.5 or later, preferably to the latest release. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. The vulnerabilities can be exploited remotely ASSESSMENT: and could allow an attacker to gain access to the system and database. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-037.shtml ORIGINAL BULLETIN: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001- multiple.txt ______________________________________________________________________________ [***** Start MIT krb5 Security Advisory 2003-001 *****] MIT krb5 Security Advisory 2003-001 Original Release Date: 2003-01-28 Topic: Multiple vulnerabilities in old releases of MIT Kerberos Severity: CRITICAL: Remote user can crash KDC, and may be able to forge non-local identities and compromise the KDC or application servers. SUMMARY ======= Multiple vulnerabilities have been found in MIT Kerberos 5 releases prior to release 1.2.5. MIT recommends updating to 1.2.7 if possible. IMPACT ====== * A remote user can crash the KDC. * A user authenticated in a remote realm may be able to claim to be other non-local users to an application server. * It may be possible for a user to gain access to the KDC system and database. AFFECTED SOFTWARE ================= * All releases of MIT Kerberos 5 before 1.2.5. * For status on other vendors, see CERT's Vulnerability Notes: VU#587579 - MIT Kerberos V5 ASN.1 decoder fails to perform bounds checking on data element length fields http://www.kb.cert.org/vuls/id/587579 VU#661243 - MIT Kerberos V5 KDC vulnerable to denial-of-service via null pointer dereference http://www.kb.cert.org/vuls/id/661243 VU#684563 - MIT Kerberos V5 allows inter-realm user impersonation by malicious realm controllers with shared keys http://www.kb.cert.org/vuls/id/684563 VU#787523 - MIT Kerberos V5 KDC logging routines use unsafe format strings http://www.kb.cert.org/vuls/id/787523 FIX === MIT recommends updating to release 1.2.5 or later, preferably to the latest release. Patches specifically to fix these problems are not available at this time. This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/www/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/www/index.html ACKNOWLEDGMENTS =============== Thanks to greg pryzby, Joseph Sokol-Margolis, Gerald Britton, E. Larry Lidz, and CERT for reporting these problems. DETAILS ======= Problem 1: KDC null pointer dereferences ________________________________________ Certain protocol requests, compliant with the protocol encoding scheme but indicative of a client system most likely configured incorrectly, can crash a KDC with a null pointer dereference. We do not believe any exploit to gain access to the KDC or otherwise alter its behavior is possible on systems without storage mapped at address zero. We have not explored the effects of this on a system with mapped memory at address zero. The fallback and retransmit algorithm used in the MIT krb5 library will cause an application not receiving a reply from a KDC to try other KDCs in the same realm; it will iterate through this list a few times, or until it gets a response. Thus, one client may take down multiple KDCs. We believe this vulnerability is limited to the TGS-REQ exchange, that is, cases where the user has already authenticated to the KDC or one with which it shares inter-realm keys. So (ignoring cases of well-known passwords) there is an audit trail of sorts, even if it has to be dug out of a core file, and it is not a simple, scriptable attack against KDCs in general. Workarounds: - Start your KDC from inittab or a loop in a shell script. (The inittab approach may not work well if the KDC is crashed too often in a short span of time.) Thanks to greg pryzby for reporting this problem. Problem 2: realm transit checks _______________________________ Realms with shared keys can impersonate people in other non-local realms in certain cases. It may be exploitable in various ways if non-local principal names are on critical ACLs. This vulnerability affects both the KDC and Kerberos application servers. This problem was fixed in the 1.2.3 release. That release also added a flag to the KDC config file that can be set to refuse untrusted cross-realm authentication, in case application servers cannot be updated quickly enough. This is not recommended as a long-term solution, because the current model we use says that the application server is responsible for doing this validation, which allows (for example) a service on a specific machine (perhaps one set up for software testing) to be configured to know about authentication paths known to the maintainer of the service, even if the maintainer of the KDC does not trust these paths for general use within the realm. Enforcing this limitation in the KDC takes this option away from the maintainers of individual machines. Workarounds: - Delete or change inter-realm keys so inter-realm authentication is disabled. - Remove all non-local principals from all critical ACLs in services using old MIT Kerberos code to validate the realm transit path Thanks to Joseph Sokol-Margolis and Gerald Britton for finding this problem. Problem 3: format strings _________________________ Older versions of the MIT KDC used strings containing Kerberos principal names as printf-style format strings in logging routines. At least some cases do not require successful authentication, so this can be used as a remote, anonymous attack. It is easy to crash the KDC with this exploit. We do not know of any exploits to gain access to the host system, but we do not rule out the possibility. Workarounds: See under problem 1. ***However, these do not address the host access possibility.*** Thanks to E. Larry Lidz for discovering this problem. Problem 4: bounds checking on data sizes ________________________________________ Some of our code does not do bounds checking on lengths before allocating storage. On some systems, attempting to allocate large negative amounts of storage can crash the program. Thus, some bogus packets may crash the KDC or an application server using Kerberos. We do not believe this can be exploited to gain access to the host system. Workarounds: - start KDC in a loop in a script, or from inittab - do likewise for any server processes that need to handle multiple client connections Thanks to CERT for bringing this to our attention. REVISION HISTORY ================ 2003-01-28 original release 2003-01-31 added CERT URLs [***** End MIT krb5 Security Advisory 2003-001 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of MIT for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-027: Flaw in Windows WM_TIMER Message Handling N-028: Vulnerabilities in SSH2 Implementations from Multiple Vendors N-029: Microsoft Unchecked Buffer in Windows Shell Vulnerability N-030: HP: Sendmail Restricted Shell (smrsh) Vulnerability N-031: Buffer Overflows in ISC DHCPD Minires Library N-032: Double-Free Bug in Concurrent Versions System (CVS) Server N-033: Unchecked Buffer in Locator Service Vulnerability N-034: Cumulative Patch for Microsoft Content Management Server N-035: Microsoft V1 Exchange Server Security Certificates Vulnerability N-036: Updated kerberos packages fix vulnerability in ftp client