Vulnerability Note VU#875073

Kerberos administration daemon vulnerable to buffer overflow

Original Release date: 23 Oct 2002 | Last revised: 26 Feb 2003

Overview

Multiple Kerberos distributions contain a remotely exploitable buffer overflow in the Kerberos administration daemon. A remote attacker could exploit this vulnerability to gain root privileges on a vulnerable system.

Description

A remotely exploitable buffer overflow exists in the Kerberos administration daemon in both the MIT and KTH Kerberos implementations. The administration daemon handles requests for changes to the Kerberos database and runs on the master Key Distribution Center (KDC) system of a Kerberos realm. The master KDC contains the authoritative copy of the Kerberos database, thus it is a critical part of a site's Kerberos infrastructure. The buffer overflow can be triggered when the daemon parses an un-checked length value contained in an administrative request read from the network. An attacker does not have to authenticate in order to exploit this vulnerability, and the Kerberos administration daemon runs with root privileges.

Further information is available in MIT krb5 Security Advisory 2002-002. MIT has also provided a description of the attack signature against kadmind4.

In the MIT Kerberos 5 distribution, kadmind4 is included to provide legacy support for Kerberos 4 administrative clients. In the KTH Kerberos 5 (Heimdal) distribution, kadmind can be compiled with Kerberos 4 support. Therefore, sites using Kerberos 5 may be running vulnerable Kerberos administration daemon. Other implementations derived from MIT Kerberos 4 are likely to be affected, and many operating systems include Kerberos code from MIT or KTH.

Impact

An unauthenticated, remote attacker could execute arbitrary code with root privileges.

Solution


Patch or Upgrade

Apply the appropriate patch or upgrade as specified by your vendor.


Disable Vulnerable Service

If it is not needed, disable Kerberos 4 support. In MIT Kerberos 5, disable kadmin4. In KTH Heimdal, compile kadmind without Kerberos 4 support. This will prevent Kerberos 4 administrative clients from accessing the Kerberos database.

Block or Restrict Access

Block access to the Kerberos administration server from untrusted networks such as the Internet. Furthermore, only allow access to the server from trusted administrative hosts. The assigned port for the Kerberos 4 administrative protocol is 751/tcp and 751/udp; however, this may be configured differently. It may also be necessary to block access to Kerberos 5 administration daemons that support the Kerberos 4 administration protocol. The assigned port for the Kerberos 5 administrative protocol is 749/tcp and 749/udp. Again, this may be configured differently. Note that this workaround will not prevent exploitation, but it will limit the possible sources of attacks.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Affected24 Oct 200230 Oct 2002
ConectivaAffected24 Oct 200206 Nov 2002
DebianAffected24 Oct 200208 Nov 2002
FreeBSDAffected24 Oct 200213 Nov 2002
Gentoo LinuxAffected-08 Nov 2002
Hewlett-Packard CompanyAffected24 Oct 200214 Feb 2003
IBMAffected24 Oct 200214 Feb 2003
KTH KerberosAffected24 Oct 200230 Oct 2002
MandrakeSoftAffected24 Oct 200208 Nov 2002
MIT Kerberos Development TeamAffected24 Oct 200230 Oct 2002
NetBSDAffected24 Oct 200230 Oct 2002
OpenBSDAffected24 Oct 200208 Nov 2002
Red Hat Inc.Affected24 Oct 200207 Nov 2002
Sorceror LinuxAffected-14 Feb 2003
BSDINot Affected24 Oct 200224 Oct 2002
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC thanks the MIT and KTH Kerberos development teams for information used in this document.

This document was written by Art Manion.

Other Information

  • CVE IDs: CAN-2002-1235
  • CERT Advisory: CA-2002-29
  • Date Public: 30 Sep 2002
  • Date First Published: 23 Oct 2002
  • Date Last Updated: 26 Feb 2003
  • Severity Metric: 20.53
  • Document Revision: 23

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.