|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
Vulnerability Note VU#554257
MIT Kerberos kadmind principal renaming stack buffer overflow
OverviewThe MIT Kerberos administration daemon (kadmind) contains a stack buffer overflow that may allow a remote, authenticated attacker to execute arbitrary code or cause a denial of service.
I. DescriptionA vulnerability exists in the way the principal renaming operation used by the Kerberos administration daemon handles strings and a fixed-size stack buffer. This vulnerability may cause a buffer overflow vulnerability that could allow a remote, authenticated user to execute arbitrary code. According to MIT krb5 Security Advisory MITKRB5-SA-2007-005:
The kadmind code which performs the principal renaming operation passes unchecked string arguments to a sprintf() call which has a fixed-size stack buffer as its destination. These strings are the old and new principal names passed to the rename operation. The attacker needs to authenticate to kadmind to perform this attack, but no administrative privileges are required because the vulnerable code executes prior to privilege verification.
Note that this issue affects all releases of MIT krb5 up to and including krb5-1.6.1. MIT has been provided with proof-of-concept exploit code, but it's not clear whether the exploit code is publicly available yet.
II. ImpactA remote, authenticated user may be able to execute arbitrary code on an affected system or cause the affected program to crash, resulting in a denial of service. Secondary impacts of code execution include complete compromise of the Kerberos key database.
III. SolutionApply a patch
A patch can be obtained from MIT krb5 Security Advisory MITKRB5-SA-2007-005. MIT also states that this will be addressed in the upcoming krb5-1.6.2 and krb5-1.5.4 releases.
Systems Affected
| Vendor | Status | Date Notified | Date Updated |
|---|
| Apple Computer, Inc. | Unknown | 18-Jun-2007 |
| AttachmateWRQ, Inc. | Unknown | 18-Jun-2007 |
| Conectiva Inc. | Unknown | 18-Jun-2007 |
| Cray Inc. | Unknown | 18-Jun-2007 |
| CyberSafe, Inc. | Not Vulnerable | 18-Jun-2007 |
| Debian GNU/Linux | Vulnerable | 30-Jul-2007 |
| EMC Corporation | Unknown | 18-Jun-2007 |
| Engarde Secure Linux | Unknown | 18-Jun-2007 |
| F5 Networks, Inc. | Unknown | 18-Jun-2007 |
| Fedora Project | Unknown | 18-Jun-2007 |
| FreeBSD, Inc. | Unknown | 18-Jun-2007 |
| Fujitsu | Unknown | 18-Jun-2007 |
| Gentoo Linux | Vulnerable | 14-Aug-2007 |
| Hewlett-Packard Company | Unknown | 18-Jun-2007 |
| Hitachi | Unknown | 18-Jun-2007 |
| IBM Corporation | Unknown | 18-Jun-2007 |
| IBM Corporation (zseries) | Unknown | 18-Jun-2007 |
| IBM eServer | Unknown | 18-Jun-2007 |
| Immunix Communications, Inc. | Unknown | 18-Jun-2007 |
| Ingrian Networks, Inc. | Unknown | 18-Jun-2007 |
| Juniper Networks, Inc. | Not Vulnerable | 26-Jun-2007 |
| KTH Kerberos Team | Unknown | 18-Jun-2007 |
| Mandriva, Inc. | Unknown | 27-Jun-2007 |
| Microsoft Corporation | Not Vulnerable | 19-Jun-2007 |
| MIT Kerberos Development Team | Unknown | 13-Jun-2007 |
| MontaVista Software, Inc. | Unknown | 18-Jun-2007 |
| NEC Corporation | Unknown | 18-Jun-2007 |
| NetBSD | Unknown | 18-Jun-2007 |
| Network Appliance, Inc. | Not Vulnerable | 27-Jun-2007 |
| Nokia | Unknown | 18-Jun-2007 |
| Novell, Inc. | Unknown | 18-Jun-2007 |
| Openwall GNU/*/Linux | Unknown | 18-Jun-2007 |
| QNX, Software Systems, Inc. | Unknown | 18-Jun-2007 |
| Red Hat, Inc. | Vulnerable | 26-Jun-2007 |
| Silicon Graphics, Inc. | Unknown | 18-Jun-2007 |
| Slackware Linux Inc. | Unknown | 18-Jun-2007 |
| Sony Corporation | Unknown | 18-Jun-2007 |
| Sun Microsystems, Inc. | Vulnerable | 28-Jun-2007 |
| SUSE Linux | Unknown | 18-Jun-2007 |
| The SCO Group | Unknown | 18-Jun-2007 |
| Trustix Secure Linux | Unknown | 18-Jun-2007 |
| Turbolinux | Unknown | 18-Jun-2007 |
| Ubuntu | Vulnerable | 27-Jun-2007 |
| Unisys | Unknown | 18-Jun-2007 |
| Wind River Systems, Inc. | Unknown | 18-Jun-2007 |
References
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=548
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt
http://www.ubuntu.com/usn/usn-477-1
http://www.mandriva.com/security/advisories?name=MDKSA-2007:137
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102985-1
http://secunia.com/advisories/25800/
http://secunia.com/advisories/26033/
http://docs.info.apple.com/article.html?artnum=306172
Credit
Thanks to MIT for reporting this vulnerability, who in turn credit an anonymous discoverer working with iDefense.
This document was written by Will Dormann.
Other Information
| Date Public: | 2007-06-26 |
| Date First Published: | 2007-06-26 |
| Date Last Updated: | 2007-08-14 |
| CERT Advisory: | |
| CVE-ID(s): | CVE-2007-2798 |
| NVD-ID(s): | CVE-2007-2798 |
| US-CERT Technical Alerts: | |
| Metric: | 16.80 |
| Document Revision: | 16 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader