search menu icon-carat-right cmu-wordmark

CERT Coordination Center

MIT Kerberos 5 contains double free vulnerability in "krb5_recvauth()" function

Vulnerability Note VU#623332

Original Release Date: 2005-07-13 | Last Revised: 2005-08-08

Overview

An unauthenticated attacker can cause krb5_recvauth() function to free a block of memory twice, possibly leading to arbitrary code execution.

Description

Kerberos is a network authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions.

MIT krb5 Security Advisory 2005-003 issued 2005 July 12, available from
<http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2005-003-recvauth.txt> states:

The krb5_recvauth() function can free previously freed memory under some error conditions. This vulnerability may allow an unauthenticated remote attacker to execute arbitrary code. Exploitation of this vulnerability on a Kerberos Key Distribution Center (KDC) host can result in compromise of an entire Kerberos realm. No exploit code is known to exist at this time. Exploitation of double-free vulnerabilities is believed to be difficult.

Impact

An unauthenticated attacker may be able to execute arbitrary code in the context of a program calling krb5_recvauth(). This includes the kpropd program which typically runs on slave Key Distribution Center (KDC) hosts, potentially leading to compromise of an entire Kerberos realm. For more information please see the MIT krb5 Security Advisory 2005-003.

Solution

Apply patches available from your vendor. Details of the patch are also available from


http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt.

Vendor Information

623332
 
Affected   Unknown   Unaffected

MiT Kerberos Development Team

Updated:  July 12, 2005

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

                MIT krb5 Security Advisory 2005-003

Original release: 2005-07-12

Topic: double-free in krb5_recvauth

Severity: CRITICAL

SUMMARY
=======

The krb5_recvauth() function can free previously freed memory under
some error conditions.  This vulnerability may allow an
unauthenticated remote attacker to execute arbitrary code.
Exploitation of this vulnerability on a Kerberos Key Distribution
Center (KDC) host can result in compromise of an entire Kerberos
realm.  No exploit code is known to exist at this time.  Exploitation
of double-free vulnerabilities is believed to be difficult.
[CAN-2005-1689, VU#623332]

IMPACT
======

An unauthenticated attacker may be able to execute arbitrary code in
the context of a program calling krb5_recvauth().  This includes the
kpropd program which typically runs on slave Key Distribution Center
(KDC) hosts, potentially leading to compromise of an entire Kerberos
realm.  Other vulnerable programs which call krb5_recvauth() are
usually remote login programs running with root privileges.
Unsuccessful attempts at exploitation may result in denial of service
by crashing the target program.

AFFECTED SOFTWARE
=================

* The kpropd daemon in all releases of MIT krb5, up to and including
 krb5-1.4.1, is vulnerable.

* The klogind and krshd remote-login daemons in all releases of MIT
 krb5, up to and including krb5-1.4.1, is vulnerable.

* Third-party application programs which call krb5-recvauth() are also
 vulnerable.

FIXES
=====

* The upcoming krb5-1.4.2 release will have a fix for this
 vulnerability.

* Apply the following patch.  This patch was generated against the
 krb5-1.4.1 release.  It may apply, with some offset, to earlier
 releases.

 The patch may also be found at:

 http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt

 The associated detached PGP signature is at:

 http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt.asc

Index: lib/krb5/krb/recvauth.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/recvauth.c,v
retrieving revision 5.38
diff -c -r5.38 recvauth.c
*** lib/krb5/krb/recvauth.c 3 Sep 2002 01:13:47 -0000 5.38
- --- lib/krb5/krb/recvauth.c 23 May 2005 23:19:15 -0000
***************
*** 76,82 ****
      if ((retval = krb5_read_message(context, fd, &inbuf)))
  return(retval);
      if (strcmp(inbuf.data, sendauth_version)) {
- - krb5_xfree(inbuf.data);
  problem = KRB5_SENDAUTH_BADAUTHVERS;
      }
      krb5_xfree(inbuf.data);
- --- 76,81 ----
***************
*** 90,96 ****
  if ((retval = krb5_read_message(context, fd, &inbuf)))
  return(retval);
  if (appl_version && strcmp(inbuf.data, appl_version)) {
- - krb5_xfree(inbuf.data);
  if (!problem)
  problem = KRB5_SENDAUTH_BADAPPLVERS;
  }
- --- 89,94 ----

REFERENCES
==========

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

       http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

       http://web.mit.edu/kerberos/index.html

CVE: CAN-2005-1689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1689

CERT: VU#623332
http://www.kb.cert.org/vuls/id/623332

ACKNOWLEDGMENTS
===============

Thanks to Magnus Hagander for reporting this vulnerability.

DETAILS
=======

The helper function revcauth_common() in lib/krb5/krb/recvauth.c has
two locations which call krb5_read_message(), followed by an
unconditional krb5_xfree() of the buffer allocated by
krb5_read_message().  In the cases where the sendauth version string
or the application version string do not match the expected value,
recvauth_common() performs a krb5_xfree() on the buffer allocated by
krb5_read_message() preceding the subsequent unconditional call to
krb5_xfree() on the same buffer.

Since the code paths which call krb5_xfree() twice do so with almost
no intervening code, exploitation of this vulnerability may be more
difficult than exploitation of other double-free vulnerabilities.  No
detailed analysis has been performed on the ease of exploitation.

REVISION HISTORY
================

2005-05-12      original release

Copyright (C) 2005 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)

iQCVAwUBQtMbD6bDgE/zdoE9AQGmhQP+MYnmuw4+J3yIcQbS3chjZXVLHebTJJtN
jM5+cMBDQfYdpuoQER1Bbaf+7Ky1BoyX2zHfANzdDAiSFRykbFqEqgvdw9jqEFmx
ela1UtOhV5H80BZAzmGV+dVIqGPpWH0f4ArRe18Pbz2wZE0Vadq9VkBTJwHI23En
K3a9oiHA/XM=
=ZS63
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Vulnerable

Vendor Statement

Red Hat, Inc

This issue affects the Kerberos packages shipped with Red Hat Enterprise
Linux. For Red Hat Enterprise Linux 2.1 and Red Hat Enterprise Linux 3
this issue is critical severity. Please see our advisory for more
information:

https://rhn.redhat.com/errata/RHSA-2005-562.html

Red Hat Enterprise Linux 4 contains checks within glibc that detect
double-free flaws. Therefore on Red Hat Enterprise Linux 4 successful
exploitation of this issue can only lead to a denial of service (KDC
crash) which is important severity. Please see our advisory for more
information:

https://rhn.redhat.com/errata/RHSA-2005-567.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Notified:  June 06, 2005 Updated:  July 13, 2005

Status

  Vulnerable

Vendor Statement

Sun is affected by the Kerberos vulnerability described in MIT Advisory MITKRB5-SA-2005-003 and CERT VU#623332. Sun has published Sun Alert 101810 which is available here:


for this issue.

The Sun Alert is currently unresolved but will be updated once either IDRs or T-patches are available on SunSolve. The Sun Alert will ultimately be updated with the released patch information for the final resolution.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Check Point

Notified:  June 06, 2005 Updated:  June 09, 2005

Status

  Not Vulnerable

Vendor Statement

Check Point products are not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks

Notified:  June 06, 2005 Updated:  June 06, 2005

Status

  Not Vulnerable

Vendor Statement

F5 products do not include a KDC. No F5 products are vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Force10 Networks Inc.

Notified:  June 06, 2005 Updated:  June 07, 2005

Status

  Not Vulnerable

Vendor Statement

Force10 does not implement Kerberos in its products, so we do not need to be listed as a vendor in the vulnerability note.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi

Notified:  May 10, 2005 Updated:  July 12, 2005

Status

  Not Vulnerable

Vendor Statement

NOT VULNERABLE

Hitachi HI-UX/WE2 is NOT Vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Not Vulnerable

Vendor Statement

Juniper Networks' products do not employ Kerberos in any configuration. Juniper's products are not subject to exploitation via the vulnerability in the MIT krb5 software described in VU#623332.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  June 06, 2005 Updated:  June 06, 2005

Status

  Not Vulnerable

Vendor Statement

At this point, we have determined that there are no Microsoft products affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Netfilter

Notified:  June 06, 2005 Updated:  June 09, 2005

Status

  Not Vulnerable

Vendor Statement

netfilter/iptables does not implement kerberos and is therefore not affected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

WatchGuard

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Not Vulnerable

Vendor Statement

WatchGuard believes that it is not affected by this vulnerability. If you have further questions about this or any other security concern with WatchGuard products, please contact:

Steve Fallin
Director, Rapid Response Team
WatchGuard Technologies
http://www.watchguard.com
steve.fallin@watchguard.com
+1.206.521.8340

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc.

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Connectiva

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

EMC Corporation

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Engarde

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

HP

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Immunix

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

KTH Kerberos

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva Inc.

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nokia

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Novell

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

QNX

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc.

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TurboLinux

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  June 06, 2005 Updated:  July 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems

Notified:  June 06, 2005 Updated:  August 08, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was reported by the MIT Kerberos Development Team. The MIT Kerberos Development Team thanks Magnus Hagander for reporting this vulnerability.

This document was written by Robert Mead based on information in the MIT krb5 Security Advisory 2005-003

Other Information

CVE IDs: CVE-2005-1689
Severity Metric: 13.01
Date Public: 2005-07-12
Date First Published: 2005-07-13
Date Last Updated: 2005-08-08 19:18 UTC
Document Revision: 19

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.