Overview
An unauthenticated attacker can cause krb5_recvauth() function to free a block of memory twice, possibly leading to arbitrary code execution.
Description
Kerberos is a network authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions. MIT krb5 Security Advisory 2005-003 issued 2005 July 12, available from |
Impact
An unauthenticated attacker may be able to execute arbitrary code in the context of a program calling krb5_recvauth(). This includes the kpropd program which typically runs on slave Key Distribution Center (KDC) hosts, potentially leading to compromise of an entire Kerberos realm. For more information please see the MIT krb5 Security Advisory 2005-003. |
Solution
Apply patches available from your vendor. Details of the patch are also available from
|
Vendor Information
MiT Kerberos Development Team Affected
Updated: July 12, 2005
Status
Affected
Vendor Statement
-----BEGIN PGP SIGNED MESSAGE-----
MIT krb5 Security Advisory 2005-003
Original release: 2005-07-12
Topic: double-free in krb5_recvauth
Severity: CRITICAL
SUMMARY
=======
The krb5_recvauth() function can free previously freed memory under
some error conditions. This vulnerability may allow an
unauthenticated remote attacker to execute arbitrary code.
Exploitation of this vulnerability on a Kerberos Key Distribution
Center (KDC) host can result in compromise of an entire Kerberos
realm. No exploit code is known to exist at this time. Exploitation
of double-free vulnerabilities is believed to be difficult.
[CAN-2005-1689, VU#623332]
IMPACT
======
An unauthenticated attacker may be able to execute arbitrary code in
the context of a program calling krb5_recvauth(). This includes the
kpropd program which typically runs on slave Key Distribution Center
(KDC) hosts, potentially leading to compromise of an entire Kerberos
realm. Other vulnerable programs which call krb5_recvauth() are
usually remote login programs running with root privileges.
Unsuccessful attempts at exploitation may result in denial of service
by crashing the target program.
AFFECTED SOFTWARE
=================
* The kpropd daemon in all releases of MIT krb5, up to and including
krb5-1.4.1, is vulnerable.
* The klogind and krshd remote-login daemons in all releases of MIT
krb5, up to and including krb5-1.4.1, is vulnerable.
* Third-party application programs which call krb5-recvauth() are also
vulnerable.
FIXES
=====
* The upcoming krb5-1.4.2 release will have a fix for this
vulnerability.
* Apply the following patch. This patch was generated against the
krb5-1.4.1 release. It may apply, with some offset, to earlier
releases.
The patch may also be found at:
http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt.asc
Index: lib/krb5/krb/recvauth.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/recvauth.c,v
retrieving revision 5.38
diff -c -r5.38 recvauth.c
*** lib/krb5/krb/recvauth.c 3 Sep 2002 01:13:47 -0000 5.38
- --- lib/krb5/krb/recvauth.c 23 May 2005 23:19:15 -0000
***************
*** 76,82 ****
if ((retval = krb5_read_message(context, fd, &inbuf)))
return(retval);
if (strcmp(inbuf.data, sendauth_version)) {
- - krb5_xfree(inbuf.data);
problem = KRB5_SENDAUTH_BADAUTHVERS;
}
krb5_xfree(inbuf.data);
- --- 76,81 ----
***************
*** 90,96 ****
if ((retval = krb5_read_message(context, fd, &inbuf)))
return(retval);
if (appl_version && strcmp(inbuf.data, appl_version)) {
- - krb5_xfree(inbuf.data);
if (!problem)
problem = KRB5_SENDAUTH_BADAPPLVERS;
}
- --- 89,94 ----
REFERENCES
==========
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CVE: CAN-2005-1689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1689
CERT: VU#623332
http://www.kb.cert.org/vuls/id/623332
ACKNOWLEDGMENTS
===============
Thanks to Magnus Hagander for reporting this vulnerability.
DETAILS
=======
The helper function revcauth_common() in lib/krb5/krb/recvauth.c has
two locations which call krb5_read_message(), followed by an
unconditional krb5_xfree() of the buffer allocated by
krb5_read_message(). In the cases where the sendauth version string
or the application version string do not match the expected value,
recvauth_common() performs a krb5_xfree() on the buffer allocated by
krb5_read_message() preceding the subsequent unconditional call to
krb5_xfree() on the same buffer.
Since the code paths which call krb5_xfree() twice do so with almost
no intervening code, exploitation of this vulnerability may be more
difficult than exploitation of other double-free vulnerabilities. No
detailed analysis has been performed on the ease of exploitation.
REVISION HISTORY
================
2005-05-12 original release
Copyright (C) 2005 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)
iQCVAwUBQtMbD6bDgE/zdoE9AQGmhQP+MYnmuw4+J3yIcQbS3chjZXVLHebTJJtN
jM5+cMBDQfYdpuoQER1Bbaf+7Ky1BoyX2zHfANzdDAiSFRykbFqEqgvdw9jqEFmx
ela1UtOhV5H80BZAzmGV+dVIqGPpWH0f4ArRe18Pbz2wZE0Vadq9VkBTJwHI23En
K3a9oiHA/XM=
=ZS63
-----END PGP SIGNATURE-----
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Red Hat Inc. Affected
Notified: June 06, 2005 Updated: July 12, 2005
Status
Affected
Vendor Statement
Red Hat, Inc
This issue affects the Kerberos packages shipped with Red Hat Enterprise
Linux. For Red Hat Enterprise Linux 2.1 and Red Hat Enterprise Linux 3
this issue is critical severity. Please see our advisory for more
information:
https://rhn.redhat.com/errata/RHSA-2005-562.html
Red Hat Enterprise Linux 4 contains checks within glibc that detect
double-free flaws. Therefore on Red Hat Enterprise Linux 4 successful
exploitation of this issue can only lead to a denial of service (KDC
crash) which is important severity. Please see our advisory for more
information:
https://rhn.redhat.com/errata/RHSA-2005-567.html
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sun Microsystems Inc. Affected
Notified: June 06, 2005 Updated: July 13, 2005
Status
Affected
Vendor Statement
Sun is affected by the Kerberos vulnerability described in MIT Advisory MITKRB5-SA-2005-003 and CERT VU#623332. Sun has published Sun Alert 101810 which is available here:
for this issue.
The Sun Alert is currently unresolved but will be updated once either IDRs or T-patches are available on SunSolve. The Sun Alert will ultimately be updated with the released patch information for the final resolution.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Check Point Not Affected
Notified: June 06, 2005 Updated: June 09, 2005
Status
Not Affected
Vendor Statement
Check Point products are not vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
F5 Networks Not Affected
Notified: June 06, 2005 Updated: June 06, 2005
Status
Not Affected
Vendor Statement
F5 products do not include a KDC. No F5 products are vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Force10 Networks Inc. Not Affected
Notified: June 06, 2005 Updated: June 07, 2005
Status
Not Affected
Vendor Statement
Force10 does not implement Kerberos in its products, so we do not need to be listed as a vendor in the vulnerability note.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hitachi Not Affected
Notified: May 10, 2005 Updated: July 12, 2005
Status
Not Affected
Vendor Statement
NOT VULNERABLE
Hitachi HI-UX/WE2 is NOT Vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Juniper Networks Not Affected
Notified: June 06, 2005 Updated: July 12, 2005
Status
Not Affected
Vendor Statement
Juniper Networks' products do not employ Kerberos in any configuration. Juniper's products are not subject to exploitation via the vulnerability in the MIT krb5 software described in VU#623332.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Microsoft Corporation Not Affected
Notified: June 06, 2005 Updated: June 06, 2005
Status
Not Affected
Vendor Statement
At this point, we have determined that there are no Microsoft products affected by this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Netfilter Not Affected
Notified: June 06, 2005 Updated: June 09, 2005
Status
Not Affected
Vendor Statement
netfilter/iptables does not implement kerberos and is therefore not affected.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
WatchGuard Not Affected
Notified: June 06, 2005 Updated: July 12, 2005
Status
Not Affected
Vendor Statement
WatchGuard believes that it is not affected by this vulnerability. If you have further questions about this or any other security concern with WatchGuard products, please contact:
Steve Fallin
Director, Rapid Response Team
WatchGuard Technologies
http://www.watchguard.com
steve.fallin@watchguard.com
+1.206.521.8340
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Apple Computer Inc. Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Connectiva Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cray Inc. Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Debian Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
EMC Corporation Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Engarde Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
FreeBSD Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fujitsu Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
HP Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Immunix Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Ingrian Networks Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
KTH Kerberos Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Mandriva Inc. Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MontaVista Software Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NEC Corporation Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NetBSD Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Nokia Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Novell Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenBSD Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Openwall GNU/*/Linux Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
QNX Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SCO Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SGI Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sequent Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sony Corporation Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SuSE Inc. Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
TurboLinux Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Unisys Unknown
Notified: June 06, 2005 Updated: July 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Wind River Systems Unknown
Notified: June 06, 2005 Updated: August 08, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was reported by the MIT Kerberos Development Team. The MIT Kerberos Development Team thanks Magnus Hagander for reporting this vulnerability.
This document was written by Robert Mead based on information in the MIT krb5 Security Advisory 2005-003.
Other Information
| CVE IDs: | CVE-2005-1689 |
| Severity Metric: | 13.01 |
| Date Public: | 2005-07-12 |
| Date First Published: | 2005-07-13 |
| Date Last Updated: | 2005-08-08 19:18 UTC |
| Document Revision: | 26 |