SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#875073

Kerberos administration daemon vulnerable to buffer overflow

Overview

Multiple Kerberos distributions contain a remotely exploitable buffer overflow in the Kerberos administration daemon. A remote attacker could exploit this vulnerability to gain root privileges on a vulnerable system.

I. Description

A remotely exploitable buffer overflow exists in the Kerberos administration daemon in both the MIT and KTH Kerberos implementations. The administration daemon handles requests for changes to the Kerberos database and runs on the master Key Distribution Center (KDC) system of a Kerberos realm. The master KDC contains the authoritative copy of the Kerberos database, thus it is a critical part of a site's Kerberos infrastructure. The buffer overflow can be triggered when the daemon parses an un-checked length value contained in an administrative request read from the network. An attacker does not have to authenticate in order to exploit this vulnerability, and the Kerberos administration daemon runs with root privileges.

Further information is available in MIT krb5 Security Advisory 2002-002. MIT has also provided a description of the attack signature against kadmind4.

In the MIT Kerberos 5 distribution, kadmind4 is included to provide legacy support for Kerberos 4 administrative clients. In the KTH Kerberos 5 (Heimdal) distribution, kadmind can be compiled with Kerberos 4 support. Therefore, sites using Kerberos 5 may be running vulnerable Kerberos administration daemon. Other implementations derived from MIT Kerberos 4 are likely to be affected, and many operating systems include Kerberos code from MIT or KTH.

II. Impact

An unauthenticated, remote attacker could execute arbitrary code with root privileges.

III. Solution

Patch or Upgrade

Apply the appropriate patch or upgrade as specified by your vendor.

Disable Vulnerable Service

If it is not needed, disable Kerberos 4 support. In MIT Kerberos 5, disable kadmin4. In KTH Heimdal, compile kadmind without Kerberos 4 support. This will prevent Kerberos 4 administrative clients from accessing the Kerberos database.

Block or Restrict Access

Block access to the Kerberos administration server from untrusted networks such as the Internet. Furthermore, only allow access to the server from trusted administrative hosts. The assigned port for the Kerberos 4 administrative protocol is 751/tcp and 751/udp; however, this may be configured differently. It may also be necessary to block access to Kerberos 5 administration daemons that support the Kerberos 4 administration protocol. The assigned port for the Kerberos 5 administrative protocol is 749/tcp and 749/udp. Again, this may be configured differently. Note that this workaround will not prevent exploitation, but it will limit the possible sources of attacks.

Systems Affected

VendorStatusDate Updated
AlcatelUnknown30-Oct-2002
Apple Computer Inc.Vulnerable30-Oct-2002
AT&TUnknown30-Oct-2002
AvayaUnknown30-Oct-2002
BSDINot Vulnerable24-Oct-2002
Cisco Systems Inc.Unknown30-Oct-2002
Computer AssociatesUnknown30-Oct-2002
ConectivaVulnerable6-Nov-2002
Cray Inc. Not Vulnerable8-Nov-2002
D-Link SystemsUnknown30-Oct-2002
Data GeneralUnknown30-Oct-2002
DebianVulnerable8-Nov-2002
F5 NetworksUnknown30-Oct-2002
FreeBSDVulnerable13-Nov-2002
FujitsuUnknown30-Oct-2002
Gentoo LinuxVulnerable8-Nov-2002
Guardian Digital Inc. Unknown30-Oct-2002
Hewlett-Packard CompanyVulnerable14-Feb-2003
IBMVulnerable14-Feb-2003
IntelUnknown30-Oct-2002
Juniper NetworksUnknown30-Oct-2002
KTH KerberosVulnerable30-Oct-2002
LucentUnknown30-Oct-2002
MandrakeSoftVulnerable8-Nov-2002
Microsoft CorporationNot Vulnerable30-Oct-2002
MIT Kerberos Development TeamVulnerable30-Oct-2002
MontaVista SoftwareUnknown30-Oct-2002
MultinetUnknown30-Oct-2002
NEC CorporationUnknown30-Oct-2002
NetBSDVulnerable30-Oct-2002
Network ApplianceUnknown30-Oct-2002
Nortel NetworksUnknown30-Oct-2002
OpenBSDVulnerable8-Nov-2002
Openwall GNU/*/Linux Not Vulnerable30-Oct-2002
Red Hat Inc.Vulnerable7-Nov-2002
SequentUnknown30-Oct-2002
SGIUnknown30-Oct-2002
Sony CorporationUnknown30-Oct-2002
Sorceror LinuxVulnerable14-Feb-2003
Sun Microsystems Inc.Not Vulnerable8-Nov-2002
SuSE Inc. Not Vulnerable30-Oct-2002
The SCO Group Unknown30-Oct-2002
Unisphere NetworksUnknown30-Oct-2002
UnisysUnknown30-Oct-2002
WirexUnknown30-Oct-2002
XeroxNot Vulnerable25-Feb-2003

References


http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt
http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_patch.txt
http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_attacksig.txt
http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC24
http://www.pdc.kth.se/kth-krb/
http://www.pdc.kth.se/heimdal/
http://www.pdc.kth.se/heimdal/heimdal.html#Building%20and%20Installing
ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.4e.kadmind-patch

Credit

The CERT/CC thanks the MIT and KTH Kerberos development teams for information used in this document.

This document was written by Art Manion.

Other Information

Date Public09/30/2002
Date First Published10/23/2002 07:56:37 PM
Date Last Updated02/26/2003
CERT AdvisoryCA-2002-29
CVE NameCAN-2002-1235
US-CERT Technical Alerts 
Metric20.53
Document Revision23

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader