Vulnerability Note VU#374121

MIT Kerberos contains array overrun in RPC library used by kadmind

Overview

Vulnerabilities in the MIT Kerberos libgssrpc library may allow an attacker to cause a denial of service or potentially execute arbitrary code.

I. Description

The MIT krb5 Kerberos implementation includes a GSS RPC library used in the Kerberos administration server (kadmind). Two flaws exist in the libgssprc library that can cause an array overrun if too many file descriptors are opened. These flaws result in a vulnerability that could allow memory corruption in the kadmind server.

MIT notes that in software versions 1.4 and later, this flaw can only be exploited in configurations that allow large numbers of open file descriptors in a process. In software versions before 1.3, a similar flaw can be exploited in similar circumstances but is further limited to platforms that do not define certain macros in certain C system header files.

II. Impact

An unauthenticated remote attacker can cause memory corruption in the libgssrpc library used by kadmind, causing kadmind to crash, thereby resulting in a denial of service. MIT notes that it is at least theoretically possible for such corruption to result in database corruption or arbitrary code execution.

III. Solution

Upgrade or apply a patch from the vendor

Patches have been released to address these issues. Please see the Systems Affected section of this document for more details.

Workaround

Before starting kadmind, use "ulimit -n" for Bourne shell and derivatives or "limit descriptors" for C shell and derivatives, or similar resource-limiting mechanisms in the invoking process to limit the maximum open file descriptors. The chosen limit should be less than or equal to the value of the FD_SETSIZE macro typically defined in the <sys/select.h> header file.

Systems Affected

Vendor	Status	Date Updated
3com, Inc.	Unknown	6-Mar-2008
Alcatel	Unknown	6-Mar-2008
Apple Computer, Inc.	Unknown	6-Mar-2008
AT&T	Unknown	6-Mar-2008
Avaya, Inc.	Unknown	6-Mar-2008
Avici Systems, Inc.	Unknown	6-Mar-2008
Borderware Technologies	Unknown	6-Mar-2008
Check Point Software Technologies	Unknown	6-Mar-2008
Cisco Systems, Inc.	Not Vulnerable	10-Mar-2008
Clavister	Unknown	6-Mar-2008
Computer Associates	Not Vulnerable	18-Mar-2008
Computer Associates eTrust Security Management	Unknown	6-Mar-2008
Conectiva Inc.	Unknown	6-Mar-2008
Cray Inc.	Unknown	6-Mar-2008
D-Link Systems, Inc.	Unknown	6-Mar-2008
Data Connection, Ltd.	Unknown	6-Mar-2008
Debian GNU/Linux	Unknown	6-Mar-2008
EMC Corporation	Unknown	6-Mar-2008
Engarde Secure Linux	Unknown	6-Mar-2008
Enterasys Networks	Unknown	6-Mar-2008
Ericsson	Unknown	6-Mar-2008
eSoft, Inc.	Unknown	6-Mar-2008
Extreme Networks	Unknown	6-Mar-2008
F5 Networks, Inc.	Unknown	6-Mar-2008
Fedora Project	Unknown	6-Mar-2008
Force10 Networks, Inc.	Unknown	6-Mar-2008
Fortinet, Inc.	Unknown	6-Mar-2008
Foundry Networks, Inc.	Unknown	6-Mar-2008
FreeBSD, Inc.	Unknown	6-Mar-2008
Fujitsu	Unknown	6-Mar-2008
Global Technology Associates	Unknown	6-Mar-2008
Hewlett-Packard Company	Unknown	6-Mar-2008
Hitachi	Unknown	6-Mar-2008
Hyperchip	Unknown	6-Mar-2008
IBM Corporation	Unknown	6-Mar-2008
IBM Corporation (zseries)	Unknown	6-Mar-2008
IBM eServer	Unknown	6-Mar-2008
Ingrian Networks, Inc.	Unknown	6-Mar-2008
Intel Corporation	Not Vulnerable	6-Mar-2008
Internet Security Systems, Inc.	Unknown	6-Mar-2008
Intoto	Not Vulnerable	6-Mar-2008
IP Infusion, Inc.	Unknown	6-Mar-2008
Juniper Networks, Inc.	Not Vulnerable	3-Apr-2008
Linksys (A division of Cisco Systems)	Unknown	6-Mar-2008
Lucent Technologies	Unknown	6-Mar-2008
Luminous Networks	Unknown	6-Mar-2008
Mandriva, Inc.	Unknown	6-Mar-2008
McAfee	Unknown	6-Mar-2008
Microsoft Corporation	Not Vulnerable	3-Apr-2008
MIT Kerberos Development Team	Vulnerable	18-Mar-2008
MontaVista Software, Inc.	Unknown	6-Mar-2008
Multinet (owned Process Software Corporation)	Unknown	6-Mar-2008
Multitech, Inc.	Unknown	6-Mar-2008
NEC Corporation	Unknown	6-Mar-2008
NetBSD	Unknown	6-Mar-2008
Network Appliance, Inc.	Unknown	6-Mar-2008
NextHop Technologies, Inc.	Unknown	6-Mar-2008
Nortel Networks, Inc.	Unknown	6-Mar-2008
Novell, Inc.	Unknown	6-Mar-2008
Openwall GNU/*/Linux	Unknown	6-Mar-2008
QNX, Software Systems, Inc.	Unknown	6-Mar-2008
Quagga	Unknown	6-Mar-2008
Red Hat, Inc.	Unknown	6-Mar-2008
Redback Networks, Inc.	Unknown	6-Mar-2008
Riverstone Networks, Inc.	Unknown	6-Mar-2008
Secure Computing Network Security Division	Not Vulnerable	6-Mar-2008
Silicon Graphics, Inc.	Unknown	6-Mar-2008
Slackware Linux Inc.	Unknown	6-Mar-2008
Sony Corporation	Unknown	6-Mar-2008
Stonesoft	Unknown	6-Mar-2008
Sun Microsystems, Inc.	Not Vulnerable	18-Mar-2008
SUSE Linux	Unknown	6-Mar-2008
Symantec, Inc.	Unknown	6-Mar-2008
The SCO Group	Unknown	6-Mar-2008
TippingPoint, Technologies, Inc.	Not Vulnerable	18-Mar-2008
Trustix Secure Linux	Unknown	6-Mar-2008
Turbolinux	Unknown	6-Mar-2008
Ubuntu	Vulnerable	19-Mar-2008
Unisys	Unknown	6-Mar-2008
Watchguard Technologies, Inc.	Unknown	6-Mar-2008
Wind River Systems, Inc.	Unknown	6-Mar-2008
ZyXEL	Unknown	6-Mar-2008

References

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt

Credit

Thanks to Ken Raeburn of the MIT Kerberos Team for reporting this vulnerability. MIT credits Jeff Altman of Secure Endpoints with discovering and reporting this issue in software version 1.6.3 and the Red Hat Security Response Team for reporting relevant information about older versions of the software.

This document was written by Chad R Dougherty.

Other Information

Date Public	03/18/2008
Date First Published	03/18/2008 03:34:29 PM
Date Last Updated	04/03/2008
CERT Advisory
CVE Name	CVE-2008-0947; CVE-2008-0948
US-CERT Technical Alerts
Metric	2.87
Document Revision	14

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information

Get Adobe Reader