|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
 |
Vulnerability Note VU#419344
MIT Kerberos 5 GSS-API library double-free vulnerability
OverviewThe GSS-API library provided with MIT krb5 contains a vulnerability that may allow a remote, authenticated attacker to execute arbitrary code or cause a denial of service.
I. DescriptionA vulnerability in the way the GSS-API library provided with MIT krb5 handles messages with an invalid direction encoding may result in a double free. According to MIT krb5 Security Advisory MITKRB5-SA-2007-003:
The kg_unseal_v1() function in src/lib/gssapi/krb5/k5unseal.c frees memory allocated for the "message_buffer" gss_buffer_t when it detects an invalid direction encoding on the message. It does not set the pointer to NULL, nor does it set the length to zero. An application subsequently calling gss_release_buffer() on this gss_buffer_t will cause memory to be freed twice.
Much code provided with MIT krb5 does not attempt to call gss_release_buffer() when gss_unseal() or gss_unwrap() fails, even though the GSS-API C-bindings specification permits it to do so. The RPCSEC_GSS authentication flavor for the RPC library, introduced in krb5-1.4, does call gss_release_buffer() when gss_unwrap() fails. This allows an authenticated attacker to trigger a double-free situation.
Note that this issue affects all releases of MIT krb5 up to and including krb5-1.6. Other server applications that utilize the RPC library or the MIT GSS-API library provided with MIT krb5 may also be affected.
This vulnerability can be triggered by sending a specially crafted Kerberos message to a vulnerable system.
II. ImpactA remote, authenticated user may be able to execute arbitrary code on an affected system or cause the affected program to crash, resulting in a denial of service. Secondary impacts of code execution include complete compromise of the Kerberos key database.
III. SolutionApply Patch
A patch can be obtained from MIT krb5 Security Advisory MITKRB5-SA-2007-003. MIT also states that this will be addressed in the upcoming krb5-1.6.1 release.
Systems Affected
| Vendor | Status | Date Notified | Date Updated |
|---|
| 3com, Inc. | Unknown | 4-Apr-2007 |
| Alcatel | Unknown | 4-Apr-2007 |
| Apple Computer, Inc. | Vulnerable | 20-Apr-2007 |
| AttachmateWRQ, Inc. | Not Vulnerable | 4-Apr-2007 |
| AT&T | Unknown | 4-Apr-2007 |
| Avaya, Inc. | Unknown | 4-Apr-2007 |
| Avici Systems, Inc. | Unknown | 4-Apr-2007 |
| Borderware Technologies | Unknown | 4-Apr-2007 |
| Charlotte's Web Networks | Unknown | 4-Apr-2007 |
| Check Point Software Technologies | Unknown | 4-Apr-2007 |
| Chiaro Networks, Inc. | Unknown | 4-Apr-2007 |
| Cisco Systems, Inc. | Not Vulnerable | 2-Apr-2007 |
| Clavister | Unknown | 4-Apr-2007 |
| Computer Associates | Unknown | 4-Apr-2007 |
| Conectiva Inc. | Unknown | 4-Apr-2007 |
| Cray Inc. | Unknown | 4-Apr-2007 |
| CyberSafe, Inc. | Not Vulnerable | 4-Apr-2007 |
| D-Link Systems, Inc. | Unknown | 4-Apr-2007 |
| Data Connection, Ltd. | Unknown | 4-Apr-2007 |
| Debian GNU/Linux | Vulnerable | 4-Apr-2007 |
| EMC, Inc. (formerly Data General Corporation) | Unknown | 4-Apr-2007 |
| Engarde Secure Linux | Unknown | 4-Apr-2007 |
| Ericsson | Unknown | 4-Apr-2007 |
| eSoft, Inc. | Unknown | 4-Apr-2007 |
| Extreme Networks | Unknown | 4-Apr-2007 |
| F5 Networks, Inc. | Unknown | 4-Apr-2007 |
| Fedora Project | Unknown | 4-Apr-2007 |
| Force10 Networks, Inc. | Not Vulnerable | 4-Apr-2007 |
| Fortinet, Inc. | Unknown | 4-Apr-2007 |
| Foundry Networks, Inc. | Unknown | 4-Apr-2007 |
| FreeBSD, Inc. | Unknown | 4-Apr-2007 |
| Fujitsu | Unknown | 4-Apr-2007 |
| Gentoo Linux | Vulnerable | 4-Apr-2007 |
| Global Technology Associates | Unknown | 4-Apr-2007 |
| Heimdal Kerberos Project | Not Vulnerable | 4-Apr-2007 |
| Hewlett-Packard Company | Unknown | 4-Apr-2007 |
| Hitachi | Not Vulnerable | 2-Apr-2007 |
| Hitachi | Not Vulnerable | 4-Apr-2007 |
| Hyperchip | Unknown | 4-Apr-2007 |
| IBM Corporation | Unknown | 4-Apr-2007 |
| IBM Corporation (zseries) | Unknown | 4-Apr-2007 |
| IBM eServer | Unknown | 4-Apr-2007 |
| Immunix Communications, Inc. | Unknown | 4-Apr-2007 |
| Ingrian Networks, Inc. | Unknown | 4-Apr-2007 |
| Intel Corporation | Unknown | 4-Apr-2007 |
| Internet Security Systems, Inc. | Unknown | 4-Apr-2007 |
| Intoto | Not Vulnerable | 4-Apr-2007 |
| IP Filter | Unknown | 4-Apr-2007 |
| Juniper Networks, Inc. | Not Vulnerable | 4-Apr-2007 |
| KTH Kerberos Team | Unknown | 4-Apr-2007 |
| Linksys (A division of Cisco Systems) | Unknown | 4-Apr-2007 |
| Lucent Technologies | Unknown | 4-Apr-2007 |
| Luminous Networks | Unknown | 4-Apr-2007 |
| Mandriva, Inc. | Vulnerable | 5-Apr-2007 |
| Microsoft Corporation | Not Vulnerable | 4-Apr-2007 |
| MIT Kerberos Development Team | Vulnerable | 3-Apr-2007 |
| MontaVista Software, Inc. | Unknown | 4-Apr-2007 |
| Multinet (owned Process Software Corporation) | Unknown | 4-Apr-2007 |
| Multitech, Inc. | Unknown | 4-Apr-2007 |
| NEC Corporation | Not Vulnerable | 6-Apr-2007 |
| NetBSD | Unknown | 4-Apr-2007 |
| netfilter | Unknown | 4-Apr-2007 |
| Network Appliance, Inc. | Unknown | 4-Apr-2007 |
| NextHop Technologies, Inc. | Unknown | 4-Apr-2007 |
| Nokia | Unknown | 4-Apr-2007 |
| Nortel Networks, Inc. | Unknown | 4-Apr-2007 |
| Novell, Inc. | Unknown | 4-Apr-2007 |
| OpenBSD | Unknown | 4-Apr-2007 |
| Openwall GNU/*/Linux | Not Vulnerable | 4-Apr-2007 |
| QNX, Software Systems, Inc. | Unknown | 4-Apr-2007 |
| Red Hat, Inc. | Vulnerable | 2-Apr-2007 |
| Redback Networks, Inc. | Unknown | 4-Apr-2007 |
| Riverstone Networks, Inc. | Unknown | 4-Apr-2007 |
| rPath | Vulnerable | 5-Apr-2007 |
| Secure Computing Network Security Division | Unknown | 4-Apr-2007 |
| Secureworx, Inc. | Unknown | 4-Apr-2007 |
| Silicon Graphics, Inc. | Unknown | 4-Apr-2007 |
| Slackware Linux Inc. | Unknown | 4-Apr-2007 |
| Sony Corporation | Unknown | 4-Apr-2007 |
| Stonesoft | Unknown | 4-Apr-2007 |
| Sun Microsystems, Inc. | Unknown | 4-Apr-2007 |
| SUSE Linux | Vulnerable | 5-Apr-2007 |
| Symantec, Inc. | Not Vulnerable | 5-Apr-2007 |
| The SCO Group | Unknown | 4-Apr-2007 |
| Trustix Secure Linux | Vulnerable | 6-Apr-2007 |
| Turbolinux | Unknown | 4-Apr-2007 |
| Ubuntu | Vulnerable | 4-Apr-2007 |
| Unisys | Unknown | 4-Apr-2007 |
| Watchguard Technologies, Inc. | Unknown | 4-Apr-2007 |
| Wind River Systems, Inc. | Unknown | 4-Apr-2007 |
| ZyXEL | Unknown | 4-Apr-2007 |
References
http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-003.txt
http://secunia.com/advisories/24757/
http://secunia.com/advisories/24735/
http://secunia.com/advisories/24750/
http://secunia.com/advisories/24740/
http://securitytracker.com/alerts/2007/Apr/1017852.html
http://docs.info.apple.com/article.html?artnum=305391
http://secunia.com/advisories/24966/
Credit
This issue is addressed in MIT krb5 Security Advisory MITKRB5-SA-2007-003.
This document was written by Chris Taschner.
Other Information
| Date Public: | 2007-04-03 |
| Date First Published: | 2007-04-03 |
| Date Last Updated: | 2007-04-23 |
| CERT Advisory: | |
| CVE-ID(s): | CVE-2007-1216 |
| NVD-ID(s): | CVE-2007-1216 |
| US-CERT Technical Alerts: | |
| Metric: | 17.85 |
| Document Revision: | 43 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader