SkipNavigation
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric



 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

 

Vulnerability Note VU#374121

MIT Kerberos contains array overrun in RPC library used by kadmind

Overview

Vulnerabilities in the MIT Kerberos libgssrpc library may allow an attacker to cause a denial of service or potentially execute arbitrary code.

I. Description

The MIT krb5 Kerberos implementation includes a GSS RPC library used in the Kerberos administration server (kadmind). Two flaws exist in the libgssprc library that can cause an array overrun if too many file descriptors are opened. These flaws result in a vulnerability that could allow memory corruption in the kadmind server.

MIT notes that in software versions 1.4 and later, this flaw can only be exploited in configurations that allow large numbers of open file descriptors in a process. In software versions before 1.3, a similar flaw can be exploited in similar circumstances but is further limited to platforms that do not define certain macros in certain C system header files.

II. Impact

An unauthenticated remote attacker can cause memory corruption in the libgssrpc library used by kadmind, causing kadmind to crash, thereby resulting in a denial of service. MIT notes that it is at least theoretically possible for such corruption to result in database corruption or arbitrary code execution.

III. Solution

Upgrade or apply a patch from the vendor


Patches have been released to address these issues. Please see the Systems Affected section of this document for more details.

Workaround

Before starting kadmind, use "ulimit -n" for Bourne shell and derivatives or "limit descriptors" for C shell and derivatives, or similar resource-limiting mechanisms in the invoking process to limit the maximum open file descriptors. The chosen limit should be less than or equal to the value of the FD_SETSIZE macro typically defined in the <sys/select.h> header file.

Systems Affected

VendorStatusDate Updated
3com, Inc.Unknown6-Mar-2008
AlcatelUnknown6-Mar-2008
Apple Computer, Inc.Unknown6-Mar-2008
AT&TUnknown6-Mar-2008
Avaya, Inc.Unknown6-Mar-2008
Avici Systems, Inc.Unknown6-Mar-2008
Borderware TechnologiesUnknown6-Mar-2008
Check Point Software TechnologiesUnknown6-Mar-2008
Cisco Systems, Inc.Not Vulnerable10-Mar-2008
ClavisterUnknown6-Mar-2008
Computer AssociatesNot Vulnerable18-Mar-2008
Computer Associates eTrust Security ManagementUnknown6-Mar-2008
Conectiva Inc.Unknown6-Mar-2008
Cray Inc.Unknown6-Mar-2008
D-Link Systems, Inc.Unknown6-Mar-2008
Data Connection, Ltd.Unknown6-Mar-2008
Debian GNU/LinuxUnknown6-Mar-2008
EMC CorporationUnknown6-Mar-2008
Engarde Secure LinuxUnknown6-Mar-2008
Enterasys NetworksUnknown6-Mar-2008
EricssonUnknown6-Mar-2008
eSoft, Inc.Unknown6-Mar-2008
Extreme NetworksUnknown6-Mar-2008
F5 Networks, Inc.Unknown6-Mar-2008
Fedora ProjectUnknown6-Mar-2008
Force10 Networks, Inc.Unknown6-Mar-2008
Fortinet, Inc.Unknown6-Mar-2008
Foundry Networks, Inc.Unknown6-Mar-2008
FreeBSD, Inc.Unknown6-Mar-2008
FujitsuUnknown6-Mar-2008
Global Technology AssociatesUnknown6-Mar-2008
Hewlett-Packard CompanyUnknown6-Mar-2008
HitachiUnknown6-Mar-2008
HyperchipUnknown6-Mar-2008
IBM CorporationUnknown6-Mar-2008
IBM Corporation (zseries)Unknown6-Mar-2008
IBM eServerUnknown6-Mar-2008
Ingrian Networks, Inc.Unknown6-Mar-2008
Intel CorporationNot Vulnerable6-Mar-2008
Internet Security Systems, Inc.Unknown6-Mar-2008
IntotoNot Vulnerable6-Mar-2008
IP Infusion, Inc.Unknown6-Mar-2008
Juniper Networks, Inc.Not Vulnerable3-Apr-2008
Linksys (A division of Cisco Systems)Unknown6-Mar-2008
Lucent TechnologiesUnknown6-Mar-2008
Luminous NetworksUnknown6-Mar-2008
Mandriva, Inc.Unknown6-Mar-2008
McAfeeUnknown6-Mar-2008
Microsoft CorporationNot Vulnerable3-Apr-2008
MIT Kerberos Development TeamVulnerable18-Mar-2008
MontaVista Software, Inc.Unknown6-Mar-2008
Multinet (owned Process Software Corporation)Unknown6-Mar-2008
Multitech, Inc.Unknown6-Mar-2008
NEC CorporationUnknown6-Mar-2008
NetBSDUnknown6-Mar-2008
Network Appliance, Inc.Unknown6-Mar-2008
NextHop Technologies, Inc.Unknown6-Mar-2008
Nortel Networks, Inc.Unknown6-Mar-2008
Novell, Inc.Unknown6-Mar-2008
Openwall GNU/*/LinuxUnknown6-Mar-2008
QNX, Software Systems, Inc.Unknown6-Mar-2008
QuaggaUnknown6-Mar-2008
Red Hat, Inc.Unknown6-Mar-2008
Redback Networks, Inc.Unknown6-Mar-2008
Riverstone Networks, Inc.Unknown6-Mar-2008
Secure Computing Network Security DivisionNot Vulnerable6-Mar-2008
Silicon Graphics, Inc.Unknown6-Mar-2008
Slackware Linux Inc.Unknown6-Mar-2008
Sony CorporationUnknown6-Mar-2008
StonesoftUnknown6-Mar-2008
Sun Microsystems, Inc.Not Vulnerable18-Mar-2008
SUSE LinuxUnknown6-Mar-2008
Symantec, Inc.Unknown6-Mar-2008
The SCO GroupUnknown6-Mar-2008
TippingPoint, Technologies, Inc.Not Vulnerable18-Mar-2008
Trustix Secure LinuxUnknown6-Mar-2008
TurbolinuxUnknown6-Mar-2008
UbuntuVulnerable19-Mar-2008
UnisysUnknown6-Mar-2008
Watchguard Technologies, Inc.Unknown6-Mar-2008
Wind River Systems, Inc.Unknown6-Mar-2008
ZyXELUnknown6-Mar-2008

References


http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt

Credit

Thanks to Ken Raeburn of the MIT Kerberos Team for reporting this vulnerability. MIT credits Jeff Altman of Secure Endpoints with discovering and reporting this issue in software version 1.6.3 and the Red Hat Security Response Team for reporting relevant information about older versions of the software.

This document was written by Chad R Dougherty.

Other Information

Date Public03/18/2008
Date First Published03/18/2008 03:34:29 PM
Date Last Updated04/03/2008
CERT Advisory 
CVE NameCVE-2008-0947; CVE-2008-0948
US-CERT Technical Alerts 
Metric2.87
Document Revision14

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader