Vulnerability Note VU#885830

MIT Kerberos 5 allows unauthenticated attacker to cause MIT krb5 Key Distribution Center to overflow a heap buffer by one byte

Original Release date: 13 Jul 2005 | Last revised: 13 Jul 2005

Overview

Unauthenticated attacker can cause MIT krb5 Key Distribution Center (KDC) to overflow a heap buffer by one byte, possibly leading to arbitrary code execution.

Description

Kerberos is a network authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions.

The MIT krb5 Security Advisory 2005-002 issued 2005 July 12, available from
<http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2005-002-kdc.txt> indicates:

    When an MIT krb5 Key Distribution Center (KDC) implementation receives a certain unlikely (but valid) request via a TCP or UDP connection it can trigger a bug in the krb5 library which results in a single-byte overflow of a heap buffer. Application servers are vulnerable to a highly improbable attack, provided that the attacker controls a realm sharing a cross-realm key with the target realm.

Impact

An unauthenticated attacker may be able to use this vulnerability to execute arbitrary code on the KDC host, potentially compromising an entire Kerberos realm. No exploit code is known to exist at this time. According to the MIT krb5 Security Advisory 2005-002 this vulnerability affects KDC implementations and application servers in all MIT krb5 releases, up to and including krb5-1.4.1. Third-party application servers which use MIT krb5 are also affected.

Solution

Apply patches available from your vendor. Details of the patch are also available from

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Red Hat Inc.Affected10 May 200511 Jul 2005
Sun Microsystems Inc.Affected10 May 200513 Jul 2005
F5 NetworksNot Affected12 May 200527 May 2005
Juniper NetworksNot Affected10 May 200521 Jun 2005
Microsoft CorporationNot Affected10 May 200519 May 2005
Apple Computer Inc.Unknown10 May 200510 May 2005
Apple Computer Inc.Unknown10 May 200510 May 2005
ConectivaUnknown10 May 200510 May 2005
Cray Inc.Unknown10 May 200517 May 2005
DebianUnknown10 May 200517 May 2005
EMC CorporationUnknown10 May 200517 May 2005
EngardeUnknown10 May 200517 May 2005
FreeBSDUnknown10 May 200517 May 2005
FujitsuUnknown10 May 200517 May 2005
HitachiUnknown10 May 200517 May 2005
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by the MIT Kerberos Development Team. The MIT Kerberos Development Team thank Daniel Wachdorf for reporting this vulnerability.

This document was written by Robert Mead based on information in the MIT krb5 Security Advisory 2005-002.

Other Information

  • CVE IDs: CAN-2005-1175
  • Date Public: 12 Jul 2005
  • Date First Published: 13 Jul 2005
  • Date Last Updated: 13 Jul 2005
  • Severity Metric: 4.63
  • Document Revision: 16

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.