Vulnerability Note VU#442569

MIT Kerberos vulnerable to ticket splicing when using Kerberos4 triple DES service tickets

Original Release date: 20 Mar 2003 | Last revised: 09 May 2003

Overview

Several cryptographic vulnerabilities exist in the basic Kerberos version 4 protocol that could allow an attacker to impersonate any user in a Kerberos realm and gain any privilege authorized through that Kerberos realm.

Description

The MIT Kerberos Development team has discovered a serious cryptographic flaw in the Kerberos version 4 protocol. This flaw could allow an attacker to compromise the entire affected Kerberos realm. In addition to the vulnerability described in VU#623217, an additional vulnerability was discovered in the MIT Kerberos implementation of triple-DES encryption of service tickets.

From the MIT advisory:

    "As a result of concerns about single DES weaknesses, MIT implemented support for Kerberos 4 tickets encrypted in triple DES service keys. This support shares all the cryptographic weaknesses of single DES Kerberos 4. In addition, since it uses CBC mode rather than PCBC mode, it introduces new weaknesses not found in other Kerberos 4 implementations. When certain alignment constraints are met, it is possible to splice two tickets together, allowing an attacker to get a ticket with a known session key for a client without knowing that client's long term key. This attack does require sniffing a ticket for that client."
As a result, MIT implementations of Kerberos version 5 or derived implementations that include support for triple-DES keys in Kerberos version 4 are vulnerable.

Impact

In addition to the impacts described for VU#623217, an attacker may impersonate any principal to a service keyed with triple-DES Kerberos version 4 keys, given the ability to capture network traffic containing tickets for the target client principal.

Solution

Apply a patch from the vendor

The MIT Kerberos team has released MIT krb5 Security Advisory 2003-004 regarding this vulnerability. Sites are strongly encouraged to apply the patches referenced in the advisory.

Workarounds

In the absence of patching, the following workarounds have been proposed by the MIT Kerberos team:

1) V4 Cross Realm Considered Harmful

    Kerberos implementations should gain an option to
   disable Kerberos 4 cross-realm authentication both in the KDC and
   in any implementations of the krb524 protocol.  This configuration
   should be the default.

2)  Application Migration

    Application vendors and sites should migrate from Kerberos version 4
   to Kerberos version 5.  The OpenAFS community has introduced features
   that allow Kerberos 5 to be used for AFS in OpenAFS 1.2.8.  Patches
   are available to add Kerberos 5 support to OpenSSH.  Several other
   implementations of the SSH protocol also support Kerberos 5.
   Applications such as IMAP, POP and LDAP already support Kerberos 5.

3) TGT Key Separation

    One motivation for the V4 triple DES support is that if a single
   DES key  exists for the TGT principal then an attacker can  attack
   that key both for v4 and v5 tickets. Kerberos
   implementations should gain support for a DES TGT key that is used
   for v4 requests but not v5 requests.

4) Remove Triple DES Kerberos 4 Support

    The cut and paste attack is a critical failure in MIT's attempt at
   Kerberos 4 Triple DES.  Even without cross-realm authentication,
   this can be exploited in real-world situations.  As such the
   support for 3DES service keys  should be disabled.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
ConectivaAffected05 Mar 200309 May 2003
DebianAffected05 Mar 200331 Mar 2003
Gentoo LinuxAffected-31 Mar 2003
MandrakeSoftAffected05 Mar 200301 Apr 2003
Red Hat Inc.Affected05 Mar 200302 Apr 2003
WirexAffected05 Mar 200309 Apr 2003
HitachiNot Affected05 Mar 200304 Apr 2003
Ingrian NetworksNot Affected05 Mar 200317 Mar 2003
Juniper NetworksNot Affected05 Mar 200317 Mar 2003
Lotus SoftwareNot Affected-10 Mar 2003
Microsoft CorporationNot Affected05 Mar 200320 Mar 2003
XeroxNot Affected05 Mar 200309 May 2003
3ComUnknown05 Mar 200310 Mar 2003
Apple Computer Inc.Unknown05 Mar 200317 Mar 2003
AT&TUnknown05 Mar 200310 Mar 2003
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC thanks Sam Hartman, Ken Raeburn, and Tom Yu of the Kerberos group at MIT for their detailed analysis and report of this vulnerability.

This document was written by Chad R Dougherty.

Other Information

  • CVE IDs: CAN-2003-0139
  • Date Public: 15 Mar 2003
  • Date First Published: 20 Mar 2003
  • Date Last Updated: 09 May 2003
  • Severity Metric: 8.91
  • Document Revision: 11

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.